# Flog Txt Version 1 # Analyzer Version: 2023.1.0 # Analyzer Build Date: Jan 31 2023 05:27:17 # Log Creation Date: 03.02.2023 18:26:08.623 Process: id = "1" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x4324e000" os_pid = "0xfc4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x760" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fel=\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\tmpacqpvsqb\" /s" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 108 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 109 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 110 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 111 start_va = 0x110000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 112 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 113 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 114 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 115 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 116 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 117 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 118 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 119 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 259 start_va = 0x210000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 260 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 261 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 262 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 263 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 264 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 265 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 266 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 267 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 268 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 269 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 270 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 271 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 272 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 273 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 274 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 275 start_va = 0x350000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 276 start_va = 0x410000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 277 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 278 start_va = 0x510000 end_va = 0x697fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 279 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 280 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 281 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 282 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 283 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 284 start_va = 0x6a0000 end_va = 0x820fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 285 start_va = 0x830000 end_va = 0x1c2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 286 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 287 start_va = 0x350000 end_va = 0x3ccfff monitored = 0 entry_point = 0x35cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 288 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 289 start_va = 0x350000 end_va = 0x3ccfff monitored = 0 entry_point = 0x35cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 290 start_va = 0x7fefd0c0000 end_va = 0x7fefd0cefff monitored = 0 entry_point = 0x7fefd0c1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 291 start_va = 0x7fefbb20000 end_va = 0x7fefbb75fff monitored = 0 entry_point = 0x7fefbb2bbc0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 292 start_va = 0x1c30000 end_va = 0x1e0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c30000" filename = "" Region: id = 293 start_va = 0x1c30000 end_va = 0x1d0efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c30000" filename = "" Region: id = 294 start_va = 0x1d90000 end_va = 0x1e0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d90000" filename = "" Region: id = 295 start_va = 0x1e10000 end_va = 0x20defff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 296 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 297 start_va = 0x2120000 end_va = 0x221ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002120000" filename = "" Region: id = 298 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 299 start_va = 0x7fefbb80000 end_va = 0x7fefbcabfff monitored = 0 entry_point = 0x7fefbb894bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 300 start_va = 0x7feff2d0000 end_va = 0x7feff3a6fff monitored = 0 entry_point = 0x7feff2d3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 301 start_va = 0x7feff060000 end_va = 0x7feff13afff monitored = 0 entry_point = 0x7feff080760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 302 start_va = 0x7feff1e0000 end_va = 0x7feff1fefff monitored = 0 entry_point = 0x7feff1e60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 303 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 304 start_va = 0x7fefbd00000 end_va = 0x7fefbef3fff monitored = 0 entry_point = 0x7fefbe8c924 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 305 start_va = 0xf0000 end_va = 0xf0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 306 start_va = 0x100000 end_va = 0x101fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 307 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 308 start_va = 0x7feff140000 end_va = 0x7feff1d8fff monitored = 0 entry_point = 0x7feff141c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 309 start_va = 0x210000 end_va = 0x210fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 310 start_va = 0x250000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 311 start_va = 0x7fefb250000 end_va = 0x7fefb27cfff monitored = 0 entry_point = 0x7fefb251010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 312 start_va = 0x7fefd6d0000 end_va = 0x7fefd721fff monitored = 0 entry_point = 0x7fefd6d10d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 313 start_va = 0x220000 end_va = 0x223fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 314 start_va = 0x230000 end_va = 0x24cfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000b.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000b.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000b.db") Region: id = 315 start_va = 0x350000 end_va = 0x350fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 316 start_va = 0x220000 end_va = 0x223fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 317 start_va = 0x360000 end_va = 0x38ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000015.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000015.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000015.db") Region: id = 318 start_va = 0x390000 end_va = 0x393fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 319 start_va = 0x1d10000 end_va = 0x1d75fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 320 start_va = 0x3a0000 end_va = 0x3adfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 321 start_va = 0x7fefdbb0000 end_va = 0x7fefdd27fff monitored = 0 entry_point = 0x7fefdbb10e0 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 322 start_va = 0x7fefee90000 end_va = 0x7fefefb9fff monitored = 0 entry_point = 0x7fefee910d4 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 323 start_va = 0x7fefd950000 end_va = 0x7fefdba8fff monitored = 0 entry_point = 0x7fefd951340 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 324 start_va = 0x7fefd2c0000 end_va = 0x7fefd42cfff monitored = 0 entry_point = 0x7fefd2c10b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 325 start_va = 0x7fefd270000 end_va = 0x7fefd27efff monitored = 0 entry_point = 0x7fefd271020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 326 start_va = 0x7fefd090000 end_va = 0x7fefd0b4fff monitored = 0 entry_point = 0x7fefd099658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 327 start_va = 0x3b0000 end_va = 0x3b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 328 start_va = 0x2400000 end_va = 0x24fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 329 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 330 start_va = 0x22a0000 end_va = 0x239ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022a0000" filename = "" Region: id = 331 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 332 start_va = 0x2160000 end_va = 0x225ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002160000" filename = "" Region: id = 333 start_va = 0x7feff3b0000 end_va = 0x7feff586fff monitored = 0 entry_point = 0x7feff3b1010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 334 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 335 start_va = 0x7fefd540000 end_va = 0x7fefd575fff monitored = 0 entry_point = 0x7fefd541474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 336 start_va = 0x7fefd580000 end_va = 0x7fefd599fff monitored = 0 entry_point = 0x7fefd581558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 369 start_va = 0x3c0000 end_va = 0x3ccfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 370 start_va = 0x3d0000 end_va = 0x3d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 411 start_va = 0x2100000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 412 start_va = 0x2510000 end_va = 0x260ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002510000" filename = "" Region: id = 413 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 414 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 460 start_va = 0x2560000 end_va = 0x265ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002560000" filename = "" Region: id = 461 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 506 start_va = 0x2620000 end_va = 0x271ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 507 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 556 start_va = 0x26e0000 end_va = 0x27dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026e0000" filename = "" Region: id = 557 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 613 start_va = 0x26a0000 end_va = 0x279ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 614 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 643 start_va = 0x25c0000 end_va = 0x26bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025c0000" filename = "" Region: id = 644 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 707 start_va = 0x26a0000 end_va = 0x279ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 708 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 745 start_va = 0x2540000 end_va = 0x263ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002540000" filename = "" Region: id = 805 start_va = 0x2680000 end_va = 0x277ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002680000" filename = "" Region: id = 806 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 852 start_va = 0x3e0000 end_va = 0x3e3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 853 start_va = 0x2560000 end_va = 0x265ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002560000" filename = "" Region: id = 897 start_va = 0x2680000 end_va = 0x277ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002680000" filename = "" Region: id = 898 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 949 start_va = 0x2640000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 950 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 996 start_va = 0x2680000 end_va = 0x277ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002680000" filename = "" Region: id = 997 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 1044 start_va = 0x26e0000 end_va = 0x27dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026e0000" filename = "" Region: id = 1045 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 1121 start_va = 0x25e0000 end_va = 0x26dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 1225 start_va = 0x25a0000 end_va = 0x269ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025a0000" filename = "" Region: id = 1251 start_va = 0x2560000 end_va = 0x265ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002560000" filename = "" Region: id = 1252 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 1407 start_va = 0x2540000 end_va = 0x263ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002540000" filename = "" Region: id = 1476 start_va = 0x25c0000 end_va = 0x26bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025c0000" filename = "" Region: id = 2632 start_va = 0x26c0000 end_va = 0x27bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026c0000" filename = "" Region: id = 2783 start_va = 0x2580000 end_va = 0x267ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 3022 start_va = 0x26c0000 end_va = 0x27bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026c0000" filename = "" Region: id = 3023 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 3147 start_va = 0x25a0000 end_va = 0x269ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025a0000" filename = "" Region: id = 3366 start_va = 0x2260000 end_va = 0x235ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002260000" filename = "" Region: id = 3367 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 1 os_tid = 0xfc8 [0047.752] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fe58 | out: lpSystemTimeAsFileTime=0x20fe58*(dwLowDateTime=0x16be8ae0, dwHighDateTime=0x1d937fd)) [0047.752] GetCurrentThreadId () returned 0xfc8 [0047.752] GetCurrentProcessId () returned 0xfc4 [0047.752] QueryPerformanceCounter (in: lpPerformanceCount=0x20fe60 | out: lpPerformanceCount=0x20fe60*=3317226930622) returned 1 [0047.753] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0047.757] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0047.757] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0047.758] GetLastError () returned 0x7e [0047.758] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0047.758] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0047.758] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0047.760] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0047.760] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0047.760] GetProcessHeap () returned 0x250000 [0047.761] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0047.761] GetLastError () returned 0x7e [0047.761] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0047.761] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0047.761] GetLastError () returned 0x7e [0047.761] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0047.761] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0047.761] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3c8) returned 0x26cfe0 [0047.762] SetLastError (dwErrCode=0x7e) [0047.762] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1200) returned 0x26d3b0 [0047.763] GetStartupInfoW (in: lpStartupInfo=0x20fd30 | out: lpStartupInfo=0x20fd30*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x20fdb8, hStdError=0x1)) [0047.764] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0047.764] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0047.764] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0047.764] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fel=\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\tmpacqpvsqb\" /s" [0047.764] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fel=\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\tmpacqpvsqb\" /s" [0047.764] GetACP () returned 0x4e4 [0047.764] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x228) returned 0x26abc0 [0047.764] IsValidCodePage (CodePage=0x4e4) returned 1 [0047.764] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x20fcf0 | out: lpCPInfo=0x20fcf0) returned 1 [0047.764] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x20f590 | out: lpCPInfo=0x20f590) returned 1 [0047.764] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f5b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0047.764] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f5b0, cbMultiByte=256, lpWideCharStr=0x20f2e0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0047.764] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x20f8b0 | out: lpCharType=0x20f8b0) returned 1 [0047.765] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f5b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0047.765] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f5b0, cbMultiByte=256, lpWideCharStr=0x20f280, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0047.765] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0047.765] GetLastError () returned 0x7e [0047.765] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0047.765] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0047.766] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x20f070, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0047.766] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x20f6b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÀ«&", lpUsedDefaultChar=0x0) returned 256 [0047.766] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f5b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0047.766] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f5b0, cbMultiByte=256, lpWideCharStr=0x20f280, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0047.766] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0047.766] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x20f070, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0047.766] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x20f7b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0047.766] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x100) returned 0x26f5c0 [0047.766] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0047.766] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1ba) returned 0x26f6d0 [0047.766] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0047.766] GetLastError () returned 0x0 [0047.767] SetLastError (dwErrCode=0x0) [0047.767] GetEnvironmentStringsW () returned 0x26f8a0* [0047.767] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xb32) returned 0x2703e0 [0047.767] FreeEnvironmentStringsW (penv=0x26f8a0) returned 1 [0047.767] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x128) returned 0x26f8a0 [0047.767] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3e) returned 0x26b010 [0047.767] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x56) returned 0x26adf0 [0047.767] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x62) returned 0x270f20 [0047.767] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x78) returned 0x26f9d0 [0047.767] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x62) returned 0x26fa50 [0047.767] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x30) returned 0x26e930 [0047.769] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x48) returned 0x26b060 [0047.769] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x28) returned 0x2679d0 [0047.769] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1a) returned 0x267a00 [0047.769] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x34) returned 0x26e970 [0047.769] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x5c) returned 0x26fac0 [0047.769] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x32) returned 0x26e9b0 [0047.769] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2e) returned 0x26e9f0 [0047.769] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1c) returned 0x267a30 [0047.769] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x19c) returned 0x26fb30 [0047.769] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x7c) returned 0x26fce0 [0047.769] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3a) returned 0x26b0b0 [0047.769] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x90) returned 0x26fd70 [0047.769] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x24) returned 0x267a60 [0047.769] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x30) returned 0x26ea30 [0047.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x36) returned 0x26ea70 [0047.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3c) returned 0x26b100 [0047.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x52) returned 0x26fe10 [0047.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3c) returned 0x26b150 [0047.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xd6) returned 0x26fe70 [0047.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2e) returned 0x26eab0 [0047.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1e) returned 0x267a90 [0047.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2c) returned 0x26eaf0 [0047.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x54) returned 0x26ff50 [0047.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x52) returned 0x26ffb0 [0047.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2c) returned 0x26eb30 [0047.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x26) returned 0x267ac0 [0047.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3e) returned 0x26b1a0 [0047.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x24) returned 0x267af0 [0047.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x30) returned 0x26eb70 [0047.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x8c) returned 0x270010 [0047.770] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2703e0 | out: hHeap=0x250000) returned 1 [0047.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1000) returned 0x270f90 [0047.771] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0047.771] GetStartupInfoW (in: lpStartupInfo=0x20fdc0 | out: lpStartupInfo=0x20fdc0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0047.771] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fel=\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\tmpacqpvsqb\" /s" [0047.771] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fel=\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\tmpacqpvsqb\" /s", pNumArgs=0x20fd90 | out: pNumArgs=0x20fd90) returned 0x270530*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0047.771] CoInitializeEx (pvReserved=0x0, dwCoInit=0x6) returned 0x0 [0047.810] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x58) returned 0x278370 [0047.811] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\tmpacqpvsqb" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\tmpacqpvsqb"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x20fae8, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x8c [0047.812] GetFileType (hFile=0x8c) returned 0x1 [0047.812] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x4000) returned 0x27b970 [0047.812] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x1000) returned 0x27f980 [0047.813] ReadFile (in: hFile=0x8c, lpBuffer=0x27f980, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x20fbb8, lpOverlapped=0x0 | out: lpBuffer=0x27f980*, lpNumberOfBytesRead=0x20fbb8*=0x694, lpOverlapped=0x0) returned 1 [0047.813] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0047.813] GetLastError () returned 0x0 [0047.813] SetLastError (dwErrCode=0x0) [0047.814] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0048.145] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0048.146] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0048.146] GetLastError () returned 0x0 [0048.146] SetLastError (dwErrCode=0x0) [0048.147] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0048.266] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0048.268] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0048.268] GetLastError () returned 0x0 [0048.268] SetLastError (dwErrCode=0x0) [0048.268] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0048.517] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0048.518] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0048.518] GetLastError () returned 0x0 [0048.518] SetLastError (dwErrCode=0x0) [0048.518] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0048.746] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0048.747] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0048.747] GetLastError () returned 0x0 [0048.747] SetLastError (dwErrCode=0x0) [0048.747] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0049.176] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0049.177] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0049.177] GetLastError () returned 0x0 [0049.177] SetLastError (dwErrCode=0x0) [0049.177] GetLastError () returned 0x0 [0049.177] SetLastError (dwErrCode=0x0) [0049.177] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0049.275] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0049.276] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0049.276] GetLastError () returned 0x0 [0049.276] SetLastError (dwErrCode=0x0) [0049.276] GetLastError () returned 0x0 [0049.276] SetLastError (dwErrCode=0x0) [0049.276] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0049.944] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0049.945] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0049.946] GetLastError () returned 0x0 [0049.946] SetLastError (dwErrCode=0x0) [0049.946] GetLastError () returned 0x0 [0049.946] SetLastError (dwErrCode=0x0) [0049.946] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0050.103] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0050.104] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0050.104] GetLastError () returned 0x0 [0050.105] SetLastError (dwErrCode=0x0) [0050.105] GetLastError () returned 0x0 [0050.105] SetLastError (dwErrCode=0x0) [0050.105] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0051.209] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0051.209] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0051.209] GetLastError () returned 0x0 [0051.209] SetLastError (dwErrCode=0x0) [0051.210] GetLastError () returned 0x0 [0051.210] SetLastError (dwErrCode=0x0) [0051.210] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"0\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0051.386] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0051.388] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0051.388] GetLastError () returned 0x0 [0051.388] SetLastError (dwErrCode=0x0) [0051.388] GetLastError () returned 0x0 [0051.388] SetLastError (dwErrCode=0x0) [0051.388] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0052.645] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0052.645] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0052.645] GetLastError () returned 0x0 [0052.646] SetLastError (dwErrCode=0x0) [0052.646] GetLastError () returned 0x0 [0052.646] SetLastError (dwErrCode=0x0) [0052.646] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0053.821] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0053.822] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0053.823] GetLastError () returned 0x0 [0053.823] SetLastError (dwErrCode=0x0) [0053.823] GetLastError () returned 0x0 [0053.823] SetLastError (dwErrCode=0x0) [0053.823] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0054.605] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0054.606] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0054.607] GetLastError () returned 0x0 [0054.607] SetLastError (dwErrCode=0x0) [0054.607] GetLastError () returned 0x0 [0054.607] SetLastError (dwErrCode=0x0) [0054.607] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0056.226] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0056.228] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0056.228] GetLastError () returned 0x0 [0056.228] SetLastError (dwErrCode=0x0) [0056.228] GetLastError () returned 0x0 [0056.228] SetLastError (dwErrCode=0x0) [0056.228] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0057.765] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0057.765] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0057.766] GetLastError () returned 0x0 [0057.766] SetLastError (dwErrCode=0x0) [0057.766] GetLastError () returned 0x0 [0057.766] SetLastError (dwErrCode=0x0) [0057.766] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0059.100] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0059.101] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0059.101] GetLastError () returned 0x0 [0059.101] SetLastError (dwErrCode=0x0) [0059.101] GetLastError () returned 0x0 [0059.101] SetLastError (dwErrCode=0x0) [0059.101] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0059.319] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0059.319] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0059.319] GetLastError () returned 0x0 [0059.319] SetLastError (dwErrCode=0x0) [0059.319] GetLastError () returned 0x0 [0059.319] SetLastError (dwErrCode=0x0) [0059.319] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0060.585] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0060.586] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0060.586] GetLastError () returned 0x0 [0060.586] SetLastError (dwErrCode=0x0) [0060.586] GetLastError () returned 0x0 [0060.586] SetLastError (dwErrCode=0x0) [0060.586] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0064.192] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0064.192] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0064.192] GetLastError () returned 0x0 [0064.193] SetLastError (dwErrCode=0x0) [0064.193] GetLastError () returned 0x0 [0064.193] SetLastError (dwErrCode=0x0) [0064.193] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"Install\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0065.782] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0065.783] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0065.783] GetLastError () returned 0x0 [0065.783] SetLastError (dwErrCode=0x0) [0065.783] GetLastError () returned 0x0 [0065.784] SetLastError (dwErrCode=0x0) [0065.784] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"DefaultInstall\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"DefaultInstall\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0066.093] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0066.094] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0066.094] GetLastError () returned 0x0 [0066.094] SetLastError (dwErrCode=0x0) [0066.094] GetLastError () returned 0x0 [0066.094] SetLastError (dwErrCode=0x0) [0066.094] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"DefaultInstall\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"DefaultInstall\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0069.145] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0069.146] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0069.146] GetLastError () returned 0x0 [0069.146] SetLastError (dwErrCode=0x0) [0069.146] GetLastError () returned 0x0 [0069.146] SetLastError (dwErrCode=0x0) [0069.146] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"DefaultInstall\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"DefaultInstall\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0070.904] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0070.904] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0070.904] GetLastError () returned 0x0 [0070.904] SetLastError (dwErrCode=0x0) [0070.904] GetLastError () returned 0x0 [0070.904] SetLastError (dwErrCode=0x0) [0070.904] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"DefaultInstall\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"DefaultInstall\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0071.316] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0071.316] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0071.316] GetLastError () returned 0x0 [0071.316] SetLastError (dwErrCode=0x0) [0071.316] GetLastError () returned 0x0 [0071.316] SetLastError (dwErrCode=0x0) [0071.316] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"DefaultInstall\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"DefaultInstall\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0076.081] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0076.081] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0076.082] GetLastError () returned 0x0 [0076.082] SetLastError (dwErrCode=0x0) [0076.082] GetLastError () returned 0x0 [0076.082] SetLastError (dwErrCode=0x0) [0076.082] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"127.0.0.1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"127.0.0.1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0078.818] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0078.818] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0078.818] GetLastError () returned 0x0 [0078.818] SetLastError (dwErrCode=0x0) [0078.818] GetLastError () returned 0x0 [0078.818] SetLastError (dwErrCode=0x0) [0078.818] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"127.0.0.1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"127.0.0.1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0081.186] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0081.186] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0081.186] GetLastError () returned 0x0 [0081.186] SetLastError (dwErrCode=0x0) [0081.186] GetLastError () returned 0x0 [0081.186] SetLastError (dwErrCode=0x0) [0081.187] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"127.0.0.1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"127.0.0.1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0086.134] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0086.135] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0086.135] GetLastError () returned 0x0 [0086.135] SetLastError (dwErrCode=0x0) [0086.135] GetLastError () returned 0x0 [0086.135] SetLastError (dwErrCode=0x0) [0086.135] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"127.0.0.1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"127.0.0.1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0092.331] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0092.331] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0092.331] GetLastError () returned 0x0 [0092.331] SetLastError (dwErrCode=0x0) [0092.331] GetLastError () returned 0x0 [0092.332] SetLastError (dwErrCode=0x0) [0092.332] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"127.0.0.1\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"127.0.0.1\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0094.510] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0094.511] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0094.511] GetLastError () returned 0x0 [0094.511] SetLastError (dwErrCode=0x0) [0094.511] GetLastError () returned 0x0 [0094.511] SetLastError (dwErrCode=0x0) [0094.511] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"explorer.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"explorer.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0098.974] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0098.974] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0098.974] GetLastError () returned 0x0 [0098.975] SetLastError (dwErrCode=0x0) [0098.975] GetLastError () returned 0x0 [0098.975] SetLastError (dwErrCode=0x0) [0098.975] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"explorer.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"explorer.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0104.050] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0104.050] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0104.050] GetLastError () returned 0x0 [0104.050] SetLastError (dwErrCode=0x0) [0104.050] GetLastError () returned 0x0 [0104.051] SetLastError (dwErrCode=0x0) [0104.051] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"explorer.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"explorer.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0106.379] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0106.379] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0106.380] GetLastError () returned 0x0 [0106.380] SetLastError (dwErrCode=0x0) [0106.380] GetLastError () returned 0x0 [0106.380] SetLastError (dwErrCode=0x0) [0106.380] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"explorer.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"explorer.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0110.614] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0110.681] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0110.681] GetLastError () returned 0x0 [0110.681] SetLastError (dwErrCode=0x0) [0110.681] GetLastError () returned 0x0 [0110.681] SetLastError (dwErrCode=0x0) [0110.681] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"explorer.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"explorer.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0116.829] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0116.830] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0116.830] GetLastError () returned 0x0 [0116.830] SetLastError (dwErrCode=0x0) [0116.830] GetLastError () returned 0x0 [0116.830] SetLastError (dwErrCode=0x0) [0116.830] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"iexplore.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"iexplore.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0122.417] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0122.417] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0122.418] GetLastError () returned 0x0 [0122.418] SetLastError (dwErrCode=0x0) [0122.418] GetLastError () returned 0x0 [0122.418] SetLastError (dwErrCode=0x0) [0122.418] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"iexplore.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"iexplore.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0129.877] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0129.878] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0129.878] GetLastError () returned 0x0 [0129.878] SetLastError (dwErrCode=0x0) [0129.878] GetLastError () returned 0x0 [0129.878] SetLastError (dwErrCode=0x0) [0129.878] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"iexplore.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"iexplore.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0135.023] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0135.024] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0135.025] GetLastError () returned 0x0 [0135.025] SetLastError (dwErrCode=0x0) [0135.025] GetLastError () returned 0x0 [0135.025] SetLastError (dwErrCode=0x0) [0135.025] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"iexplore.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"iexplore.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0138.205] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0138.206] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0138.206] GetLastError () returned 0x0 [0138.206] SetLastError (dwErrCode=0x0) [0138.206] GetLastError () returned 0x0 [0138.206] SetLastError (dwErrCode=0x0) [0138.206] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"iexplore.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"iexplore.exe\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0139.725] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0139.725] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0139.725] GetLastError () returned 0x0 [0139.726] SetLastError (dwErrCode=0x0) [0139.726] GetLastError () returned 0x0 [0139.726] SetLastError (dwErrCode=0x0) [0139.726] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"%Temp%\\IXP000.TMP\\\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"%Temp%\\IXP000.TMP\\\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0140.344] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0140.344] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0140.344] GetLastError () returned 0x0 [0140.344] SetLastError (dwErrCode=0x0) [0140.344] GetLastError () returned 0x0 [0140.344] SetLastError (dwErrCode=0x0) [0140.344] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"%Temp%\\IXP000.TMP\\\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"%Temp%\\IXP000.TMP\\\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0140.895] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0140.895] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0140.895] GetLastError () returned 0x0 [0140.895] SetLastError (dwErrCode=0x0) [0140.895] GetLastError () returned 0x0 [0140.895] SetLastError (dwErrCode=0x0) [0140.895] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"%Temp%\\IXP000.TMP\\\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"%Temp%\\IXP000.TMP\\\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0146.045] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0146.045] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0146.045] GetLastError () returned 0x0 [0146.045] SetLastError (dwErrCode=0x0) [0146.046] GetLastError () returned 0x0 [0146.046] SetLastError (dwErrCode=0x0) [0146.046] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"%Temp%\\IXP000.TMP\\\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"%Temp%\\IXP000.TMP\\\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0149.120] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0149.121] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6000) returned 0x280990 [0149.121] GetLastError () returned 0x0 [0149.121] SetLastError (dwErrCode=0x0) [0149.121] GetLastError () returned 0x0 [0149.122] SetLastError (dwErrCode=0x0) [0149.122] ShellExecuteExW (in: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"%Temp%\\IXP000.TMP\\\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x20fc10*(cbSize=0x70, fMask=0x0, hwnd=0x0, lpVerb="open", lpFile="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", lpParameters="/dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"%Temp%\\IXP000.TMP\\\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0150.588] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280990 | out: hHeap=0x250000) returned 1 [0150.588] ReadFile (in: hFile=0x8c, lpBuffer=0x27f980, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x20fbb8, lpOverlapped=0x0 | out: lpBuffer=0x27f980*, lpNumberOfBytesRead=0x20fbb8*=0x0, lpOverlapped=0x0) returned 1 [0150.589] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x27f980 | out: hHeap=0x250000) returned 1 [0150.591] CloseHandle (hObject=0x8c) returned 1 [0150.592] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x27b970 | out: hHeap=0x250000) returned 1 [0150.593] CoUninitialize () [0150.607] LocalFree (hMem=0x270530) returned 0x0 [0150.607] GetModuleHandleW (lpModuleName=0x0) returned 0x13f8e0000 [0150.607] GetModuleHandleW (lpModuleName=0x0) returned 0x13f8e0000 [0150.608] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26f5c0 | out: hHeap=0x250000) returned 1 [0150.609] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x278370 | out: hHeap=0x250000) returned 1 [0150.610] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x270f90 | out: hHeap=0x250000) returned 1 [0150.610] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x0 [0150.611] GetLastError () returned 0x7e [0150.611] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x20fdb8 | out: phModule=0x20fdb8) returned 0 [0150.611] RtlExitUserProcess (ExitCode=0x0) [0150.613] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26cfe0 | out: hHeap=0x250000) returned 1 Thread: id = 2 os_tid = 0xfcc Thread: id = 3 os_tid = 0xfd0 Thread: id = 4 os_tid = 0xfd4 Thread: id = 6 os_tid = 0xfe0 Thread: id = 8 os_tid = 0xfec Thread: id = 9 os_tid = 0xff0 Thread: id = 11 os_tid = 0xffc Thread: id = 13 os_tid = 0xba4 Thread: id = 15 os_tid = 0xbb0 Thread: id = 17 os_tid = 0xbbc Thread: id = 19 os_tid = 0xb94 Thread: id = 21 os_tid = 0xbe0 Thread: id = 23 os_tid = 0xbf8 Thread: id = 25 os_tid = 0x820 Thread: id = 27 os_tid = 0xd54 Thread: id = 29 os_tid = 0x644 Thread: id = 31 os_tid = 0xd8c Thread: id = 33 os_tid = 0x940 Thread: id = 35 os_tid = 0xdbc Thread: id = 37 os_tid = 0xdf8 Thread: id = 39 os_tid = 0xe14 Thread: id = 41 os_tid = 0xe6c Thread: id = 43 os_tid = 0xe9c Thread: id = 45 os_tid = 0xe20 Thread: id = 47 os_tid = 0xe84 Thread: id = 49 os_tid = 0xea8 Thread: id = 51 os_tid = 0xedc Thread: id = 53 os_tid = 0xec8 Thread: id = 55 os_tid = 0x9b0 Thread: id = 57 os_tid = 0xae0 Thread: id = 60 os_tid = 0xb1c Thread: id = 63 os_tid = 0xb44 Thread: id = 131 os_tid = 0xd5c Thread: id = 136 os_tid = 0xbbc Thread: id = 144 os_tid = 0xde0 Thread: id = 151 os_tid = 0xfb0 Thread: id = 154 os_tid = 0xbfc Thread: id = 160 os_tid = 0xb98 Thread: id = 164 os_tid = 0xda8 Thread: id = 171 os_tid = 0xe58 Thread: id = 178 os_tid = 0x7cc Thread: id = 184 os_tid = 0x498 Thread: id = 191 os_tid = 0x99c Thread: id = 193 os_tid = 0xd5c Thread: id = 195 os_tid = 0x64 Thread: id = 197 os_tid = 0x7a8 Thread: id = 199 os_tid = 0x230 Thread: id = 201 os_tid = 0x4c0 Process: id = "2" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x43d50000" os_pid = "0xfd8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 337 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 338 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 339 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 340 start_va = 0x1d0000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 341 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 342 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 343 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 344 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 345 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 346 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 347 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 348 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 349 start_va = 0x50000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 350 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 351 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 352 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 353 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 354 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 355 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 356 start_va = 0xc0000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 357 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 358 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 359 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 360 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 361 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 362 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 363 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 364 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 365 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 366 start_va = 0x2d0000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 367 start_va = 0x2d0000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 368 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 371 start_va = 0x3d0000 end_va = 0x3f8fff monitored = 0 entry_point = 0x3d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 372 start_va = 0x4a0000 end_va = 0x627fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 373 start_va = 0x3d0000 end_va = 0x3f8fff monitored = 0 entry_point = 0x3d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 374 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 375 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 376 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 377 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 378 start_va = 0x630000 end_va = 0x7b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 379 start_va = 0x7c0000 end_va = 0x1bbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 424 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 425 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 426 start_va = 0x3d0000 end_va = 0x3d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 1299 start_va = 0x3e0000 end_va = 0x45dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 1310 start_va = 0x1bc0000 end_va = 0x1d17fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001bc0000" filename = "" Region: id = 1363 start_va = 0x1d20000 end_va = 0x1e80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d20000" filename = "" Region: id = 1364 start_va = 0x7fefd2c0000 end_va = 0x7fefd42cfff monitored = 0 entry_point = 0x7fefd2c10b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1369 start_va = 0x7fefd270000 end_va = 0x7fefd27efff monitored = 0 entry_point = 0x7fefd271020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1370 start_va = 0x7fefd060000 end_va = 0x7fefd06afff monitored = 0 entry_point = 0x7fefd061030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1371 start_va = 0x7fefd090000 end_va = 0x7fefd0b4fff monitored = 0 entry_point = 0x7fefd099658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1372 start_va = 0x7feff060000 end_va = 0x7feff13afff monitored = 0 entry_point = 0x7feff080760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1373 start_va = 0x7feff1e0000 end_va = 0x7feff1fefff monitored = 0 entry_point = 0x7feff1e60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1374 start_va = 0x7feff2d0000 end_va = 0x7feff3a6fff monitored = 0 entry_point = 0x7feff2d3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1375 start_va = 0x7fefabb0000 end_va = 0x7fefabc7fff monitored = 0 entry_point = 0x7fefabb1010 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1376 start_va = 0x7fefacc0000 end_va = 0x7feface6fff monitored = 0 entry_point = 0x7fefacc98bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1377 start_va = 0x7fefed70000 end_va = 0x7fefed77fff monitored = 0 entry_point = 0x7fefed71504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1378 start_va = 0x7fefacb0000 end_va = 0x7fefacbafff monitored = 0 entry_point = 0x7fefacb1198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1379 start_va = 0x7fefb550000 end_va = 0x7fefb560fff monitored = 0 entry_point = 0x7fefb551070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1408 start_va = 0x7feff280000 end_va = 0x7feff2ccfff monitored = 0 entry_point = 0x7feff281070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1409 start_va = 0x1e90000 end_va = 0x201ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e90000" filename = "" Region: id = 1527 start_va = 0x2020000 end_va = 0x22eefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1564 start_va = 0x2350000 end_va = 0x244ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002350000" filename = "" Region: id = 1565 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 1648 start_va = 0x1e90000 end_va = 0x1f0cfff monitored = 0 entry_point = 0x1e9cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1649 start_va = 0x1fa0000 end_va = 0x201ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 1650 start_va = 0x1e90000 end_va = 0x1f0cfff monitored = 0 entry_point = 0x1e9cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1651 start_va = 0x7fefd0c0000 end_va = 0x7fefd0cefff monitored = 0 entry_point = 0x7fefd0c1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1707 start_va = 0x1e90000 end_va = 0x1f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e90000" filename = "" Region: id = 1708 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 1709 start_va = 0x460000 end_va = 0x460fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 1710 start_va = 0x7feff140000 end_va = 0x7feff1d8fff monitored = 0 entry_point = 0x7feff141c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1711 start_va = 0x470000 end_va = 0x470fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 1712 start_va = 0x7fef9520000 end_va = 0x7fef952dfff monitored = 0 entry_point = 0x7fef9525500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1713 start_va = 0x7fef97c0000 end_va = 0x7fef9836fff monitored = 0 entry_point = 0x7fef97fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 1716 start_va = 0x7fefcc30000 end_va = 0x7fefcc51fff monitored = 0 entry_point = 0x7fefcc35d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2081 start_va = 0x2490000 end_va = 0x258ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002490000" filename = "" Region: id = 2082 start_va = 0x7fefcac0000 end_va = 0x7fefcad7fff monitored = 0 entry_point = 0x7fefcac3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2083 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2084 start_va = 0x22f0000 end_va = 0x2334fff monitored = 0 entry_point = 0x22f1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2085 start_va = 0x22f0000 end_va = 0x2334fff monitored = 0 entry_point = 0x22f1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2086 start_va = 0x22f0000 end_va = 0x2334fff monitored = 0 entry_point = 0x22f1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2087 start_va = 0x22f0000 end_va = 0x2334fff monitored = 0 entry_point = 0x22f1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2088 start_va = 0x22f0000 end_va = 0x2334fff monitored = 0 entry_point = 0x22f1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2170 start_va = 0x7fefc7c0000 end_va = 0x7fefc806fff monitored = 0 entry_point = 0x7fefc7c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2171 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c3fff monitored = 0 entry_point = 0x7fefd1b10e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2224 start_va = 0x2750000 end_va = 0x284ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 2225 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2226 start_va = 0x2650000 end_va = 0x274ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 2227 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2241 start_va = 0x7fef9240000 end_va = 0x7fef9252fff monitored = 0 entry_point = 0x7fef9241d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2242 start_va = 0x7fef9560000 end_va = 0x7fef9632fff monitored = 0 entry_point = 0x7fef95d8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2243 start_va = 0x7fef9530000 end_va = 0x7fef9556fff monitored = 0 entry_point = 0x7fef95311a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 2390 start_va = 0x480000 end_va = 0x482fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 2493 start_va = 0x2890000 end_va = 0x298ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 2494 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2824 start_va = 0x2b50000 end_va = 0x2c4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b50000" filename = "" Region: id = 2825 start_va = 0x7fefca60000 end_va = 0x7fefcab4fff monitored = 0 entry_point = 0x7fefca61054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2826 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2827 start_va = 0x2990000 end_va = 0x2a7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002990000" filename = "" Region: id = 2828 start_va = 0x7fefc460000 end_va = 0x7fefc466fff monitored = 0 entry_point = 0x7fefc4614b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 3241 start_va = 0x2590000 end_va = 0x264ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Thread: id = 5 os_tid = 0xfdc [0048.410] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfc98 | out: lpSystemTimeAsFileTime=0x2cfc98*(dwLowDateTime=0x17202340, dwHighDateTime=0x1d937fd)) [0048.410] GetCurrentThreadId () returned 0xfdc [0048.410] GetCurrentProcessId () returned 0xfd8 [0048.410] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfca0 | out: lpPerformanceCount=0x2cfca0*=3317292696195) returned 1 [0048.410] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0048.413] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0048.413] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0048.413] GetLastError () returned 0x7e [0048.413] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0048.413] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0048.414] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0048.414] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0048.414] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0048.415] GetProcessHeap () returned 0xc0000 [0048.415] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0048.415] GetLastError () returned 0x7e [0048.415] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0048.416] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0048.416] GetLastError () returned 0x7e [0048.416] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0048.416] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0048.416] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x3c8) returned 0xdcf90 [0048.416] SetLastError (dwErrCode=0x7e) [0048.416] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x1200) returned 0xdd360 [0048.419] GetStartupInfoW (in: lpStartupInfo=0x2cfb70 | out: lpStartupInfo=0x2cfb70*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x2cfbf8, hStdError=0x1)) [0048.419] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0048.419] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0048.419] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0048.419] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc" [0048.419] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc" [0048.419] GetACP () returned 0x4e4 [0048.419] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x228) returned 0xdab70 [0048.419] IsValidCodePage (CodePage=0x4e4) returned 1 [0048.419] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2cfb30 | out: lpCPInfo=0x2cfb30) returned 1 [0048.419] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2cf3d0 | out: lpCPInfo=0x2cf3d0) returned 1 [0048.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf3f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0048.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf3f0, cbMultiByte=256, lpWideCharStr=0x2cf120, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0048.419] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x2cf6f0 | out: lpCharType=0x2cf6f0) returned 1 [0048.420] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf3f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0048.420] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf3f0, cbMultiByte=256, lpWideCharStr=0x2cf0c0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0048.420] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0048.420] GetLastError () returned 0x7e [0048.420] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0048.420] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0048.421] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2ceeb0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0048.421] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x2cf4f0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿp«\r", lpUsedDefaultChar=0x0) returned 256 [0048.421] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf3f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0048.421] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf3f0, cbMultiByte=256, lpWideCharStr=0x2cf0c0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0048.421] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0048.421] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2ceeb0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0048.421] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x2cf5f0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0048.421] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x100) returned 0xdf570 [0048.421] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0048.421] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x164) returned 0xdf680 [0048.421] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0048.421] GetLastError () returned 0x0 [0048.421] SetLastError (dwErrCode=0x0) [0048.421] GetEnvironmentStringsW () returned 0xdf7f0* [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xb32) returned 0xe0330 [0048.422] FreeEnvironmentStringsW (penv=0xdf7f0) returned 1 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x128) returned 0xe0e70 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x3e) returned 0xdafc0 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x56) returned 0xdada0 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x62) returned 0xdf7f0 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x78) returned 0xdf860 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x62) returned 0xdf8e0 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x30) returned 0xde8e0 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x48) returned 0xdb010 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x28) returned 0xd7960 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x1a) returned 0xd7990 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x34) returned 0xde920 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x5c) returned 0xdf950 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x32) returned 0xde960 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x2e) returned 0xde9a0 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x1c) returned 0xd79c0 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x19c) returned 0xdf9c0 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x7c) returned 0xdfb70 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x3a) returned 0xdb060 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x90) returned 0xdfc00 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x24) returned 0xd79f0 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x30) returned 0xde9e0 [0048.422] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x36) returned 0xdea20 [0048.423] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x3c) returned 0xdb0b0 [0048.423] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x52) returned 0xdfca0 [0048.423] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x3c) returned 0xdb100 [0048.423] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xd6) returned 0xdfd00 [0048.423] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x2e) returned 0xdea60 [0048.423] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x1e) returned 0xd7a20 [0048.423] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x2c) returned 0xdeaa0 [0048.423] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x54) returned 0xdfde0 [0048.423] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x52) returned 0xdfe40 [0048.423] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x2c) returned 0xdeae0 [0048.423] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x26) returned 0xd7a50 [0048.423] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x3e) returned 0xdb150 [0048.423] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x24) returned 0xd7a80 [0048.423] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x30) returned 0xdeb20 [0048.423] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x8c) returned 0xdfea0 [0048.424] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe0330 | out: hHeap=0xc0000) returned 1 [0048.424] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x1000) returned 0xe0fa0 [0048.424] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0048.424] GetStartupInfoW (in: lpStartupInfo=0x2cfc00 | out: lpStartupInfo=0x2cfc00*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0048.424] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc" [0048.424] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc", pNumArgs=0x2cfbd0 | out: pNumArgs=0x2cfbd0) returned 0xe03c0*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0048.425] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0048.462] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x1000) returned 0xe4090 [0048.462] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x16) returned 0xd7650 [0048.462] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Cpurthnvlc", cchWideChar=-1, lpMultiByteStr=0xd7650, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Cpurthnvlc", lpUsedDefaultChar=0x0) returned 11 [0048.462] GetLastError () returned 0x0 [0048.463] SetLastError (dwErrCode=0x0) [0048.463] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="CpurthnvlcW") returned 0x0 [0048.463] GetLastError () returned 0x7f [0048.463] SetLastError (dwErrCode=0x7f) [0048.463] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="CpurthnvlcA") returned 0x0 [0048.463] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="Cpurthnvlc") returned 0x7fef2ea5970 [0048.463] GetActiveWindow () returned 0x0 [0066.379] VirtualAlloc (lpAddress=0x0, dwSize=0x7e000, flAllocationType=0x3000, flProtect=0x40) returned 0x3e0000 [0066.904] GetProcAddress (hModule=0x77160000, lpProcName="ExitProcess") returned 0x772a40f0 [0066.904] GetProcAddress (hModule=0x77160000, lpProcName="LoadLibraryW") returned 0x77176420 [0066.904] LoadLibraryW (lpLibFileName="ntdll.dll") returned 0x77280000 [0066.905] GetProcAddress (hModule=0x77280000, lpProcName="NtMapViewOfSection") returned 0x772d1590 [0066.905] GetProcAddress (hModule=0x77280000, lpProcName="NtOpenFile") returned 0x772d1640 [0066.905] GetProcAddress (hModule=0x77280000, lpProcName="NtOpenSection") returned 0x772d1680 [0066.905] GetProcAddress (hModule=0x77280000, lpProcName="NtCreateSection") returned 0x772d17b0 [0066.905] GetProcAddress (hModule=0x77160000, lpProcName="VirtualProtect") returned 0x771629f0 [0066.905] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentThreadId") returned 0x77173380 [0066.905] GetProcAddress (hModule=0x77160000, lpProcName="GetModuleFileNameA") returned 0x77175940 [0066.905] GetProcAddress (hModule=0x77160000, lpProcName="VirtualAlloc") returned 0x77175c40 [0066.905] GetProcAddress (hModule=0x77160000, lpProcName="GetProcessHeap") returned 0x77181a30 [0066.905] GetProcAddress (hModule=0x77160000, lpProcName="HeapAlloc") returned 0x772d33a0 [0066.905] GetProcAddress (hModule=0x77160000, lpProcName="HeapFree") returned 0x77181a50 [0066.905] GetModuleFileNameA (in: hModule=0x7fef2ea0000, lpFilename=0x2cf8d0, nSize=0x104 | out: lpFilename="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll")) returned 0x62 [0066.906] VirtualAlloc (lpAddress=0x0, dwSize=0x158000, flAllocationType=0x3000, flProtect=0x4) returned 0x1bc0000 [0066.922] GetProcessHeap () returned 0xc0000 [0066.922] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x3f80) returned 0xe50a0 [0067.386] GetProcessHeap () returned 0xc0000 [0067.387] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe50a0 | out: hHeap=0xc0000) returned 1 [0067.387] GetCurrentThreadId () returned 0xfdc [0067.387] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2cf794 | out: lpflOldProtect=0x2cf794*=0x20) returned 1 [0067.387] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2cf794 | out: lpflOldProtect=0x2cf794*=0x40) returned 1 [0067.981] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2cf794 | out: lpflOldProtect=0x2cf794*=0x20) returned 1 [0067.981] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2cf794 | out: lpflOldProtect=0x2cf794*=0x40) returned 1 [0068.030] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2cf794 | out: lpflOldProtect=0x2cf794*=0x20) returned 1 [0068.031] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2cf794 | out: lpflOldProtect=0x2cf794*=0x40) returned 1 [0068.903] LoadLibraryW (lpLibFileName="gdiplus.dll") returned 0x1d20000 [0068.907] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2ce604 | out: lpflOldProtect=0x2ce604*=0x20) returned 1 [0068.907] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2ce604 | out: lpflOldProtect=0x2ce604*=0x40) returned 1 [0069.217] NtOpenFile (in: FileHandle=0x2ce6e8, DesiredAccess=0x100020, ObjectAttributes=0x2ce738*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x2ce768, ShareAccess=0x3, OpenOptions=0x21 | out: FileHandle=0x2ce6e8*=0x70, IoStatusBlock=0x2ce768*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0069.450] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2ce604 | out: lpflOldProtect=0x2ce604*=0x20) returned 1 [0069.450] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2ce604 | out: lpflOldProtect=0x2ce604*=0x40) returned 1 [0069.741] GetCurrentThreadId () returned 0xfdc [0069.741] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2cf2d4 | out: lpflOldProtect=0x2cf2d4*=0x20) returned 1 [0069.741] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2cf2d4 | out: lpflOldProtect=0x2cf2d4*=0x40) returned 1 [0070.243] NtOpenFile (in: FileHandle=0x2cf3a0, DesiredAccess=0x100021, ObjectAttributes=0x2cf458*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x2cf488, ShareAccess=0x5, OpenOptions=0x60 | out: FileHandle=0x2cf3a0*=0x74, IoStatusBlock=0x2cf488*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0070.243] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2cf2c4 | out: lpflOldProtect=0x2cf2c4*=0x20) returned 1 [0070.244] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2cf2c4 | out: lpflOldProtect=0x2cf2c4*=0x40) returned 1 [0070.489] GetCurrentThreadId () returned 0xfdc [0070.489] NtCreateSection (in: SectionHandle=0x2cf3a8, DesiredAccess=0xf, ObjectAttributes=0x0, MaximumSize=0x0, SectionPageProtection=0x10, AllocationAttributes=0x1000000, FileHandle=0x74 | out: SectionHandle=0x2cf3a8*=0x78) returned 0x0 [0070.490] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2cf154 | out: lpflOldProtect=0x2cf154*=0x20) returned 1 [0070.490] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2cf154 | out: lpflOldProtect=0x2cf154*=0x40) returned 1 [0070.796] GetCurrentThreadId () returned 0xfdc [0070.796] NtCreateSection (in: SectionHandle=0x2cf238, DesiredAccess=0xe, ObjectAttributes=0x0, MaximumSize=0x2cf230, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x2cf238*=0x7c) returned 0x0 [0070.796] NtMapViewOfSection (in: SectionHandle=0x7c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x2cf1d8*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x2cf3f8*=0x0, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x2cf1d8*=0x1d20000, SectionOffset=0x0, ViewSize=0x2cf3f8*=0x161000) returned 0x0 [0072.310] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf2d8 | out: lpSystemTimeAsFileTime=0x2cf2d8*(dwLowDateTime=0x24e7c960, dwHighDateTime=0x1d937fd)) [0072.310] GetCurrentThreadId () returned 0xfdc [0072.310] GetCurrentProcessId () returned 0xfd8 [0072.311] QueryPerformanceCounter (in: lpPerformanceCount=0x2cf2e0 | out: lpPerformanceCount=0x2cf2e0*=3320276270068) returned 1 [0072.713] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0072.713] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0072.713] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0072.714] GetLastError () returned 0x7e [0072.714] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0072.714] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0073.006] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0074.350] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0074.350] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0074.630] GetProcessHeap () returned 0xc0000 [0074.637] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0074.638] GetLastError () returned 0x7e [0074.638] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0074.638] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0074.638] GetLastError () returned 0x7e [0074.638] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0074.660] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x3c8) returned 0xf1a10 [0074.661] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0074.918] SetLastError (dwErrCode=0x7e) [0074.948] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x1000) returned 0xf1de0 [0074.951] GetStartupInfoW (in: lpStartupInfo=0x2cf160 | out: lpStartupInfo=0x2cf160*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x1)) [0074.951] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0074.951] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0074.951] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0075.186] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc" [0075.186] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc" [0075.211] GetLastError () returned 0x7e [0075.211] SetLastError (dwErrCode=0x7e) [0075.211] GetLastError () returned 0x7e [0075.211] SetLastError (dwErrCode=0x7e) [0075.211] GetACP () returned 0x4e4 [0075.211] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x228) returned 0xf3df0 [0075.212] IsValidCodePage (CodePage=0x4e4) returned 1 [0075.212] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2cf130 | out: lpCPInfo=0x2cf130) returned 1 [0075.220] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2ce9d0 | out: lpCPInfo=0x2ce9d0) returned 1 [0075.220] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ce9f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0075.220] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ce9f0, cbMultiByte=256, lpWideCharStr=0x2ce720, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ\x0c") returned 256 [0075.220] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ\x0c", cchSrc=256, lpCharType=0x2cecf0 | out: lpCharType=0x2cecf0) returned 1 [0075.446] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ce9f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0075.446] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ce9f0, cbMultiByte=256, lpWideCharStr=0x2ce6c0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0075.446] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0075.447] GetLastError () returned 0x7e [0075.447] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0075.447] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0075.447] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2ce4b0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0075.447] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x2ceaf0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x0e\x0e", lpUsedDefaultChar=0x0) returned 256 [0075.447] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ce9f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0075.447] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ce9f0, cbMultiByte=256, lpWideCharStr=0x2ce6c0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0075.447] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0075.447] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2ce4b0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0075.447] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x2cebf0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0075.447] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x100) returned 0xf4020 [0075.447] RtlInitializeSListHead (in: ListHead=0x1e68410 | out: ListHead=0x1e68410) [0075.975] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77160000 [0075.975] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0075.975] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0075.975] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0075.975] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0075.975] GetProcAddress (hModule=0x77160000, lpProcName="InitializeCriticalSectionEx") returned 0x77176e50 [0075.975] GetProcAddress (hModule=0x77160000, lpProcName="InitOnceExecuteOnce") returned 0x77165d60 [0075.976] GetProcAddress (hModule=0x77160000, lpProcName="CreateEventExW") returned 0x771ac970 [0075.976] GetProcAddress (hModule=0x77160000, lpProcName="CreateSemaphoreW") returned 0x77168e00 [0075.976] GetProcAddress (hModule=0x77160000, lpProcName="CreateSemaphoreExW") returned 0x771ac8a0 [0075.976] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolTimer") returned 0x77167e90 [0075.976] GetProcAddress (hModule=0x77160000, lpProcName="SetThreadpoolTimer") returned 0x7729b2f0 [0075.976] GetProcAddress (hModule=0x77160000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x7728d8c0 [0075.976] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolTimer") returned 0x7728d620 [0075.976] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolWait") returned 0x771abe60 [0075.976] GetProcAddress (hModule=0x77160000, lpProcName="SetThreadpoolWait") returned 0x7729e170 [0075.977] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolWait") returned 0x7728c540 [0075.977] GetProcAddress (hModule=0x77160000, lpProcName="FlushProcessWriteBuffers") returned 0x772d1f80 [0075.977] GetProcAddress (hModule=0x77160000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x7734ec60 [0075.977] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentProcessorNumber") returned 0x772d0040 [0075.977] GetProcAddress (hModule=0x77160000, lpProcName="CreateSymbolicLinkW") returned 0x771d5af0 [0075.977] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentPackageId") returned 0x0 [0075.977] GetProcAddress (hModule=0x77160000, lpProcName="GetTickCount64") returned 0x77168ac0 [0075.977] GetProcAddress (hModule=0x77160000, lpProcName="GetFileInformationByHandleEx") returned 0x771712f0 [0075.977] GetProcAddress (hModule=0x77160000, lpProcName="SetFileInformationByHandle") returned 0x771ac120 [0075.978] GetProcAddress (hModule=0x77160000, lpProcName="GetSystemTimePreciseAsFileTime") returned 0x0 [0075.978] GetProcAddress (hModule=0x77160000, lpProcName="InitializeConditionVariable") returned 0x772b84f0 [0075.978] GetProcAddress (hModule=0x77160000, lpProcName="WakeConditionVariable") returned 0x7733bab0 [0075.978] GetProcAddress (hModule=0x77160000, lpProcName="WakeAllConditionVariable") returned 0x772a00b0 [0075.978] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableCS") returned 0x771ab610 [0075.978] GetProcAddress (hModule=0x77160000, lpProcName="InitializeSRWLock") returned 0x772b84f0 [0075.978] GetProcAddress (hModule=0x77160000, lpProcName="AcquireSRWLockExclusive") returned 0x772a8020 [0075.978] GetProcAddress (hModule=0x77160000, lpProcName="TryAcquireSRWLockExclusive") returned 0x7732bdd0 [0075.978] GetProcAddress (hModule=0x77160000, lpProcName="ReleaseSRWLockExclusive") returned 0x772a8050 [0075.979] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableSRW") returned 0x771ab5c0 [0075.979] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolWork") returned 0x77165d30 [0075.979] GetProcAddress (hModule=0x77160000, lpProcName="SubmitThreadpoolWork") returned 0x77292330 [0075.979] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolWork") returned 0x772921f0 [0075.979] GetProcAddress (hModule=0x77160000, lpProcName="CompareStringEx") returned 0x771abd60 [0075.979] GetProcAddress (hModule=0x77160000, lpProcName="GetLocaleInfoEx") returned 0x771635e0 [0075.979] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0075.979] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77160000 [0075.980] GetProcAddress (hModule=0x77160000, lpProcName="InitializeConditionVariable") returned 0x772b84f0 [0075.980] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableCS") returned 0x771ab610 [0075.980] GetProcAddress (hModule=0x77160000, lpProcName="WakeAllConditionVariable") returned 0x772a00b0 [0075.980] RtlInitializeConditionVariable () returned 0x772a00b0 [0076.382] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x1000) returned 0xf4130 [0076.734] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x1e68fb0, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0076.735] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xc2) returned 0xf5140 [0076.735] GetEnvironmentStringsW () returned 0xf5210* [0076.737] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1433, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1433 [0076.737] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x599) returned 0xf5d50 [0076.737] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1433, lpMultiByteStr=0xf5d50, cbMultiByte=1433, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1433 [0076.737] FreeEnvironmentStringsW (penv=0xf5210) returned 1 [0076.737] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x128) returned 0xf5210 [0076.737] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x1f) returned 0xe5c40 [0076.737] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x2b) returned 0xf36e0 [0076.737] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x31) returned 0xf3720 [0076.737] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x3c) returned 0xf0050 [0076.737] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x31) returned 0xf3760 [0076.737] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x18) returned 0xe0e20 [0076.737] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x24) returned 0xe5c70 [0076.737] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x14) returned 0xe0e40 [0076.737] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xd) returned 0xf5340 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x1a) returned 0xe5ca0 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x2e) returned 0xf37a0 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x19) returned 0xe5cd0 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x17) returned 0xf5360 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xe) returned 0xf5380 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xce) returned 0xf53a0 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x3e) returned 0xf00a0 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x1d) returned 0xe5d00 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x48) returned 0xf00f0 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x12) returned 0xf5480 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x18) returned 0xf54a0 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x1b) returned 0xe5d30 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x1e) returned 0xe5d60 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x29) returned 0xf37e0 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x1e) returned 0xe5d90 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x6b) returned 0xebdb0 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x17) returned 0xf54c0 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0xf) returned 0xf54e0 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x16) returned 0xf5500 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x2a) returned 0xf3820 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x29) returned 0xf3860 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x16) returned 0xf5520 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x13) returned 0xf5570 [0076.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x1f) returned 0xe5dc0 [0076.739] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x12) returned 0xf5590 [0076.739] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x18) returned 0xf55b0 [0076.739] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x46) returned 0xf0140 [0076.739] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5d50 | out: hHeap=0xc0000) returned 1 [0077.452] GetCurrentThread () returned 0xfffffffffffffffe [0077.452] GetThreadTimes (in: hThread=0xfffffffffffffffe, lpCreationTime=0x2cf218, lpExitTime=0x2cf210, lpKernelTime=0x2cf210, lpUserTime=0x2cf210 | out: lpCreationTime=0x2cf218, lpExitTime=0x2cf210, lpKernelTime=0x2cf210, lpUserTime=0x2cf210) returned 1 [0077.452] RtlInitializeSListHead (in: ListHead=0x1e68aa0 | out: ListHead=0x1e68aa0) [0077.863] RtlPcToFileHeader (in: PcValue=0x1e4fef8, BaseOfImage=0x2cf140 | out: BaseOfImage=0x2cf140*=0x1d20000) returned 0x1d20000 [0078.135] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x50) returned 0xf5d50 [0078.135] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x98 [0078.136] RtlWakeAllConditionVariable () returned 0x772a00b0 [0078.407] RtlWakeAllConditionVariable () returned 0x772a00b0 [0078.407] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x2cf090 | out: lpWSAData=0x2cf090) returned 0 [0078.419] RtlWakeAllConditionVariable () returned 0x772a00b0 [0078.419] RtlWakeAllConditionVariable () returned 0x772a00b0 [0078.625] RtlSizeHeap (HeapHandle=0xc0000, Flags=0x0, MemoryPointer=0xf4020) returned 0x100 [0078.625] RtlReAllocateHeap (Heap=0xc0000, Flags=0x0, Ptr=0xf4020, Size=0x200) returned 0xf6180 [0078.945] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77280000 [0078.945] GetProcAddress (hModule=0x77280000, lpProcName="NtCreateThreadEx") returned 0x772d1d90 [0078.946] GetProcAddress (hModule=0x77280000, lpProcName="RtlNewSecurityObjectWithMultipleInheritance") returned 0x77364540 [0078.946] GetCurrentProcess () returned 0xffffffffffffffff [0078.946] NtCreateThreadEx (in: ThreadHandle=0x1e69890, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffffffffffff, lpStartAddress=0x77364540, lpParameter=0x0, CreateSuspended=1, StackZeroBits=0x0, SizeOfStackCommit=0x0, SizeOfStackReserve=0x0, lpBytesBuffer=0x0 | out: ThreadHandle=0x1e69890*=0xb0, lpBytesBuffer=0x0) returned 0x0 [0078.946] GetThreadContext (in: hThread=0xb0, lpContext=0x2cedc0 | out: lpContext=0x2cedc0*(P1Home=0xf6150, P2Home=0x30, P3Home=0x10, P4Home=0x7fefd4d30f5, P5Home=0x21, P6Home=0x0, ContextFlags=0x10000b, MxCsr=0x1f80, SegCs=0x33, SegDs=0xf, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x200, Dr0=0x0, Dr1=0xf4020, Dr2=0x772d3488, Dr3=0xc0230, Dr6=0xc0388, Dr7=0xe00fa0001, Rax=0x0, Rcx=0x77364540, Rdx=0x0, Rbx=0x0, Rsp=0x244f898, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x772ac500, FltSave.ControlWord=0x27f, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x1f80, FltSave.MxCsr_Mask=0xffff, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x27f, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0xf4020, VectorRegister.High=0xf4020, VectorControl=0x0, DebugControl=0x1da7129, LastBranchToRip=0x0, LastBranchFromRip=0x2cf778, LastExceptionToRip=0x0, LastExceptionFromRip=0x1)) returned 1 [0079.235] SetThreadContext (hThread=0xb0, lpContext=0x2cedc0*(P1Home=0xf6150, P2Home=0x30, P3Home=0x10, P4Home=0x7fefd4d30f5, P5Home=0x21, P6Home=0x0, ContextFlags=0x10000b, MxCsr=0x1f80, SegCs=0x33, SegDs=0xf, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x200, Dr0=0x0, Dr1=0xf4020, Dr2=0x772d3488, Dr3=0xc0230, Dr6=0xc0388, Dr7=0xe00fa0001, Rax=0x0, Rcx=0x1d3365c, Rdx=0x0, Rbx=0x0, Rsp=0x244f898, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x772ac500, FltSave.ControlWord=0x27f, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x1f80, FltSave.MxCsr_Mask=0xffff, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x27f, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0xf4020, VectorRegister.High=0xf4020, VectorControl=0x0, DebugControl=0x1da7129, LastBranchToRip=0x0, LastBranchFromRip=0x2cf778, LastExceptionToRip=0x0, LastExceptionFromRip=0x1)) returned 1 [0079.236] ResumeThread (hThread=0xb0) returned 0x1 [0079.253] GetProcAddress (hModule=0x1d20000, lpProcName="setPath") returned 0x1d34604 [0079.253] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x70) returned 0xebe30 [0079.253] SetEvent (hEvent=0x98) returned 1 [0079.589] WaitForSingleObject (hHandle=0xb0, dwMilliseconds=0xffffffff) Thread: id = 58 os_tid = 0xae4 [0079.294] GetLastError () returned 0x57 [0079.294] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0079.294] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x78) returned 0xebeb0 [0079.294] SetLastError (dwErrCode=0x57) [0079.294] GetLastError () returned 0x57 [0079.294] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x3c8) returned 0xf7c20 [0079.299] SetLastError (dwErrCode=0x57) [0079.589] LoadLibraryExW (lpLibFileName="api-ms-win-core-sysinfo-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0079.589] GetLastError () returned 0x7e [0079.589] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x244f320 | out: lpSystemTimeAsFileTime=0x244f320*(dwLowDateTime=0x28d101e0, dwHighDateTime=0x1d937fd)) [0079.589] GetLastError () returned 0x7e [0079.589] SetLastError (dwErrCode=0x7e) [0079.589] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0079.590] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x70) returned 0xebf30 [0080.932] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x260) returned 0xf7ff0 [0081.755] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0082.175] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x38) returned 0xf3da0 [0082.188] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x2) returned 0xf4080 [0082.391] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf4080 | out: hHeap=0xc0000) returned 1 [0082.391] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x2) returned 0xf4080 [0082.410] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x30) returned 0xf8290 [0082.618] GetLastError () returned 0x7e [0082.634] SetLastError (dwErrCode=0x7e) [0082.817] GetLastError () returned 0x7e [0082.817] SetLastError (dwErrCode=0x7e) [0082.843] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x158) returned 0xf9260 [0082.843] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x6a6) returned 0xf93c0 [0082.843] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf93c0 | out: hHeap=0xc0000) returned 1 [0082.844] GetLastError () returned 0x7e [0082.844] SetLastError (dwErrCode=0x7e) [0083.029] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x6) returned 0xf40a0 [0083.029] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x2) returned 0xf40c0 [0083.244] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x4) returned 0xf40e0 [0083.244] GetLastError () returned 0x7e [0083.244] SetLastError (dwErrCode=0x7e) [0083.244] GetLastError () returned 0x7e [0083.244] SetLastError (dwErrCode=0x7e) [0083.244] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x158) returned 0xf93c0 [0083.244] GetLastError () returned 0x7e [0083.244] SetLastError (dwErrCode=0x7e) [0083.257] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x6a6) returned 0xf9520 [0083.258] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf9520 | out: hHeap=0xc0000) returned 1 [0083.258] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf40a0 | out: hHeap=0xc0000) returned 1 [0083.258] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf9260 | out: hHeap=0xc0000) returned 1 [0083.258] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf40e0 | out: hHeap=0xc0000) returned 1 [0083.259] GetLastError () returned 0x7e [0083.259] SetLastError (dwErrCode=0x7e) [0083.259] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x6) returned 0xf40a0 [0083.259] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x2) returned 0xf40e0 [0083.259] GetLastError () returned 0x7e [0083.259] SetLastError (dwErrCode=0x7e) [0083.259] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x200) returned 0xf9520 [0083.259] GetLastError () returned 0x7e [0083.259] SetLastError (dwErrCode=0x7e) [0083.259] GetLastError () returned 0x7e [0083.259] SetLastError (dwErrCode=0x7e) [0083.259] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x4) returned 0xf4100 [0083.259] GetLastError () returned 0x7e [0083.259] SetLastError (dwErrCode=0x7e) [0083.259] GetLastError () returned 0x7e [0083.259] SetLastError (dwErrCode=0x7e) [0083.260] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x158) returned 0xf9260 [0083.260] GetLastError () returned 0x7e [0083.260] SetLastError (dwErrCode=0x7e) [0083.260] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x6a6) returned 0xf9730 [0083.260] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf9730 | out: hHeap=0xc0000) returned 1 [0083.260] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf40a0 | out: hHeap=0xc0000) returned 1 [0083.261] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf93c0 | out: hHeap=0xc0000) returned 1 [0083.261] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf4100 | out: hHeap=0xc0000) returned 1 [0083.261] GetLastError () returned 0x7e [0083.261] SetLastError (dwErrCode=0x7e) [0083.261] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x6) returned 0xf40a0 [0083.261] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf40e0 | out: hHeap=0xc0000) returned 1 [0083.261] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf40c0 | out: hHeap=0xc0000) returned 1 [0083.261] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55f0 [0083.261] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.261] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x25a) returned 0xf9730 [0083.442] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.455] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e80 [0083.455] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5eb0 [0083.455] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.468] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e80 | out: hHeap=0xc0000) returned 1 [0083.469] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e80 [0083.469] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x60) returned 0xed5d0 [0083.469] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.469] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x80) returned 0xf93c0 [0083.469] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xed5d0 | out: hHeap=0xc0000) returned 1 [0083.470] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5ee0 [0083.481] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xc0) returned 0xf9450 [0083.482] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf93c0 | out: hHeap=0xc0000) returned 1 [0083.483] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5f10 [0083.483] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5f40 [0083.483] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x120) returned 0xf99a0 [0083.484] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf9450 | out: hHeap=0xc0000) returned 1 [0083.484] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5f70 [0083.484] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5fa0 [0083.484] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x1a0) returned 0xf9ad0 [0083.484] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf99a0 | out: hHeap=0xc0000) returned 1 [0083.484] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5fd0 [0083.484] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe6000 [0083.484] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe6030 [0083.484] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe6060 [0083.484] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x260) returned 0xf9c80 [0083.485] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf9ad0 | out: hHeap=0xc0000) returned 1 [0083.485] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe6090 [0083.485] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe60c0 [0083.485] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe60f0 [0083.485] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe6120 [0083.485] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe6150 [0083.485] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xf9f20 [0083.486] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x380) returned 0xfaaf0 [0083.487] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf9c80 | out: hHeap=0xc0000) returned 1 [0083.634] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xf9f50 [0083.634] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xf9f80 [0083.634] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xf9fb0 [0083.634] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xf9fe0 [0083.634] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xfa010 [0083.634] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xfa040 [0083.634] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xfa070 [0083.634] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xfa0a0 [0083.634] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xfa0d0 [0083.634] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x540) returned 0xf99a0 [0083.635] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfaaf0 | out: hHeap=0xc0000) returned 1 [0083.635] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xfa100 [0083.635] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xfa130 [0083.635] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xfa160 [0083.635] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xfa190 [0083.635] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xfa1c0 [0083.636] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.636] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf9730 | out: hHeap=0xc0000) returned 1 [0083.636] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.636] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.636] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.637] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.637] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x12) returned 0xf5630 [0083.637] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.637] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.637] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.637] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.637] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.637] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.637] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf01e0 [0083.638] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.638] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.638] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.638] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x11) returned 0xf5630 [0083.638] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.638] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.639] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.639] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.639] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.639] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.639] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x80) returned 0xf93c0 [0083.640] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf01e0 | out: hHeap=0xc0000) returned 1 [0083.640] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.640] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.641] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.641] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xf) returned 0xf5630 [0083.641] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.641] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.642] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.642] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.642] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.642] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.642] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xc0) returned 0xf9450 [0083.642] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf93c0 | out: hHeap=0xc0000) returned 1 [0083.643] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.643] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.643] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.643] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5630 [0083.643] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.643] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.644] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.644] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.644] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.644] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.644] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x100) returned 0xf9730 [0083.644] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf9450 | out: hHeap=0xc0000) returned 1 [0083.645] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.645] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.645] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.645] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x13) returned 0xf5630 [0083.645] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.645] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.646] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.646] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.646] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.646] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.646] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x180) returned 0xfaaf0 [0083.646] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf9730 | out: hHeap=0xc0000) returned 1 [0083.647] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.647] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.647] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.647] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x12) returned 0xf5630 [0083.647] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.647] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.648] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.648] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.648] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.648] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.648] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.648] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.648] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.648] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5630 [0083.649] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.649] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.649] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.649] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.649] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.649] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.649] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x240) returned 0xf9730 [0083.650] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfaaf0 | out: hHeap=0xc0000) returned 1 [0083.650] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.650] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.650] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.650] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xe) returned 0xf5630 [0083.650] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.650] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.651] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.651] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.651] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.651] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.651] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.651] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.651] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.652] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x12) returned 0xf5630 [0083.652] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.652] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.652] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.652] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.652] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.652] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.653] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.653] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.653] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.653] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x11) returned 0xf5630 [0083.653] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.653] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.654] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.654] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.654] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.654] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.654] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x340) returned 0xfaaf0 [0083.655] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf9730 | out: hHeap=0xc0000) returned 1 [0083.655] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.655] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.656] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.656] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x13) returned 0xf5630 [0083.656] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.656] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.656] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.656] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.657] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.657] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.657] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.657] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.657] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.657] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x12) returned 0xf5630 [0083.658] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.658] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.658] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.658] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.658] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.658] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.658] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.659] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.659] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.659] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x13) returned 0xf5630 [0083.659] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.659] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.659] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.659] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.659] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.659] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.660] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.660] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.660] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.660] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x12) returned 0xf5630 [0083.660] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.660] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.660] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.661] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.661] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.661] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.661] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x4c0) returned 0xfae40 [0083.661] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfaaf0 | out: hHeap=0xc0000) returned 1 [0083.662] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.662] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.662] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.662] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x11) returned 0xf5630 [0083.662] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.662] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.663] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.663] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.663] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.663] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.663] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.663] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.663] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.663] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x12) returned 0xf5630 [0083.663] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.663] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.664] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.664] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.664] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.664] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.664] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.664] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.665] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.665] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5630 [0083.665] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.665] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.665] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.665] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.665] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.665] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.666] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.666] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.666] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.666] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5630 [0083.666] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.666] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.667] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.879] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.879] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.879] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.880] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.880] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.880] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.880] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x11) returned 0xf5630 [0083.880] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.880] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.881] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.881] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.881] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.881] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.882] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.882] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.882] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.882] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x11) returned 0xf5630 [0083.882] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.882] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.883] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.883] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.883] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.883] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.883] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x700) returned 0xfb310 [0083.883] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfae40 | out: hHeap=0xc0000) returned 1 [0083.884] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.884] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.884] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.884] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x12) returned 0xf5630 [0083.884] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.884] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.885] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.885] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.885] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.885] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.886] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.886] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.886] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.886] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x11) returned 0xf5630 [0083.886] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.886] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.887] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.887] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.887] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.887] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.888] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.888] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.888] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.888] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x11) returned 0xf5630 [0083.888] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.888] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.889] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.889] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.889] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.889] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.889] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.889] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.890] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.890] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x12) returned 0xf5630 [0083.890] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.890] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.890] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.890] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.890] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.890] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.891] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.891] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.891] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.891] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x11) returned 0xf5630 [0083.891] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.891] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.892] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.892] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.892] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.892] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.893] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.893] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.893] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.893] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5630 [0083.893] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.893] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.893] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.893] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.894] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.894] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.894] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.894] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.894] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.894] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x12) returned 0xf5630 [0083.894] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.894] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.895] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.895] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.895] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.895] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.896] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.896] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.896] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.896] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x11) returned 0xf5630 [0083.896] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.896] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.897] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.897] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.897] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.897] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.898] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.898] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.898] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.898] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x13) returned 0xf5630 [0083.898] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.898] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.899] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.899] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.899] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.899] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.899] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xa80) returned 0xfba20 [0083.900] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfb310 | out: hHeap=0xc0000) returned 1 [0083.901] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.901] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.901] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.901] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5630 [0083.901] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.901] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.902] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.902] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.902] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.902] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.902] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.902] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.902] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.903] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x11) returned 0xf5630 [0083.903] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.903] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.903] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.903] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.903] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.903] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.904] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.904] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.904] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.904] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x13) returned 0xf5630 [0083.904] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.904] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.905] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.905] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.905] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.905] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.906] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.906] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf55d0 [0083.906] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x10) returned 0xf5610 [0083.906] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x12) returned 0xf5630 [0083.906] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0xe5e50 [0083.906] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x40) returned 0xf0190 [0083.907] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e50 | out: hHeap=0xc0000) returned 1 [0083.907] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5630 | out: hHeap=0xc0000) returned 1 [0083.907] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5610 | out: hHeap=0xc0000) returned 1 [0083.907] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf55d0 | out: hHeap=0xc0000) returned 1 [0083.908] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf0190 | out: hHeap=0xc0000) returned 1 [0083.909] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5eb0 | out: hHeap=0xc0000) returned 1 [0083.909] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5e80 | out: hHeap=0xc0000) returned 1 [0083.910] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5ee0 | out: hHeap=0xc0000) returned 1 [0083.910] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5f10 | out: hHeap=0xc0000) returned 1 [0083.910] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5f40 | out: hHeap=0xc0000) returned 1 [0083.910] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5f70 | out: hHeap=0xc0000) returned 1 [0083.911] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5fa0 | out: hHeap=0xc0000) returned 1 [0083.911] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe5fd0 | out: hHeap=0xc0000) returned 1 [0083.912] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe6000 | out: hHeap=0xc0000) returned 1 [0083.912] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe6030 | out: hHeap=0xc0000) returned 1 [0083.913] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe6060 | out: hHeap=0xc0000) returned 1 [0083.913] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe6090 | out: hHeap=0xc0000) returned 1 [0084.096] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe60c0 | out: hHeap=0xc0000) returned 1 [0084.096] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe60f0 | out: hHeap=0xc0000) returned 1 [0084.096] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe6120 | out: hHeap=0xc0000) returned 1 [0084.097] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xe6150 | out: hHeap=0xc0000) returned 1 [0084.097] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf9f20 | out: hHeap=0xc0000) returned 1 [0084.097] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf9f50 | out: hHeap=0xc0000) returned 1 [0084.098] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf9f80 | out: hHeap=0xc0000) returned 1 [0084.098] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf9fb0 | out: hHeap=0xc0000) returned 1 [0084.098] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf9fe0 | out: hHeap=0xc0000) returned 1 [0084.099] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfa010 | out: hHeap=0xc0000) returned 1 [0084.099] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfa040 | out: hHeap=0xc0000) returned 1 [0084.100] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfa070 | out: hHeap=0xc0000) returned 1 [0084.100] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfa0a0 | out: hHeap=0xc0000) returned 1 [0084.101] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfa0d0 | out: hHeap=0xc0000) returned 1 [0084.101] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfa100 | out: hHeap=0xc0000) returned 1 [0084.101] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfa130 | out: hHeap=0xc0000) returned 1 [0084.102] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfa160 | out: hHeap=0xc0000) returned 1 [0084.102] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfa190 | out: hHeap=0xc0000) returned 1 [0084.102] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfa1c0 | out: hHeap=0xc0000) returned 1 [0084.103] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf99a0 | out: hHeap=0xc0000) returned 1 [0084.103] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf7ff0 | out: hHeap=0xc0000) returned 1 [0084.351] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0089.394] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77280000 [0089.395] GetProcAddress (hModule=0x77280000, lpProcName="ZwAllocateVirtualMemory") returned 0x772d1490 [0089.395] GetProcAddress (hModule=0x77280000, lpProcName="ZwWriteVirtualMemory") returned 0x772d16b0 [0089.395] GetProcAddress (hModule=0x77280000, lpProcName="ZwReadVirtualMemory") returned 0x772d1700 [0089.395] GetProcAddress (hModule=0x77280000, lpProcName="ZwGetContextThread") returned 0x772d1fe0 [0089.395] GetProcAddress (hModule=0x77280000, lpProcName="ZwSetContextThread") returned 0x772d2840 [0090.238] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x30) returned 0x109f60 [0090.448] CoCreateInstance (in: rclsid=0x1e057e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1e057f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x244f1d0 | out: ppv=0x244f1d0*=0xf5950) returned 0x0 [0090.672] WbemLocator:IWbemLocator:ConnectServer (in: This=0xf5950, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x244f1c8 | out: ppNamespace=0x244f1c8*=0x125390) returned 0x0 [0093.710] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x7fefd730000 [0093.710] GetProcAddress (hModule=0x7fefd730000, lpProcName="CoSetProxyBlanket") returned 0x7fefd76bf00 [0093.710] CoSetProxyBlanket (pProxy=0x125390, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0093.710] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0xf5c70 [0093.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x109f60, cbMultiByte=35, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 35 [0093.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x109f60, cbMultiByte=35, lpWideCharStr=0x244f0c0, cchWideChar=35 | out: lpWideCharStr="SELECT * FROM Win32_ComputerSystem") returned 35 [0093.938] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0xf5c90 [0093.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e1b258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0093.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e1b258, cbMultiByte=4, lpWideCharStr=0x244f100, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0093.939] IWbemServices:ExecQuery (in: This=0x125390, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystem", lFlags=48, pCtx=0x0, ppEnum=0x244f1d8 | out: ppEnum=0x244f1d8*=0x12c310) returned 0x0 [0094.152] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5c90 | out: hHeap=0xc0000) returned 1 [0094.152] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5c70 | out: hHeap=0xc0000) returned 1 [0094.152] IEnumWbemClassObject:Next (in: This=0x12c310, lTimeout=-1, uCount=0x1, apObjects=0x244f1e0, puReturned=0x244f2f8 | out: apObjects=0x244f1e0*=0x130120, puReturned=0x244f2f8*=0x1) returned 0x0 [0094.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x244f330, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0094.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x244f330, cbMultiByte=4, lpWideCharStr=0x244f0f8, cchWideChar=4 | out: lpWideCharStr="Name") returned 4 [0095.251] IWbemClassObject:Get (in: This=0x130120, wszName="Name", lFlags=0, pVal=0x244f280*(varType=0x0, wReserved1=0x10, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x244f280*(varType=0x8, wReserved1=0x10, wReserved2=0x0, wReserved3=0x0, varVal1="Q9IATRKPRH", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0095.690] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0x10dc10 [0095.690] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Q9IATRKPRH", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0096.075] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Q9IATRKPRH", cchWideChar=10, lpMultiByteStr=0x244f118, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Q9IATRKPRH", lpUsedDefaultChar=0x0) returned 10 [0096.094] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x10dc10 | out: hHeap=0xc0000) returned 1 [0096.095] IUnknown:Release (This=0x130120) returned 0x0 [0096.095] WbemLocator:IUnknown:Release (This=0x125390) returned 0x0 [0096.221] WbemLocator:IUnknown:Release (This=0xf5950) returned 0x0 [0096.221] IUnknown:Release (This=0x12c310) returned 0x0 [0096.243] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x109f60 | out: hHeap=0xc0000) returned 1 [0096.408] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x30) returned 0x109f60 [0096.427] CoCreateInstance (in: rclsid=0x1e057e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1e057f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x244f1d0 | out: ppv=0x244f1d0*=0xf5c90) returned 0x0 [0096.427] WbemLocator:IWbemLocator:ConnectServer (in: This=0xf5c90, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x244f1c8 | out: ppNamespace=0x244f1c8*=0x125390) returned 0x0 [0096.811] CoSetProxyBlanket (pProxy=0x125390, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0096.811] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0xf5cf0 [0096.824] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x109f60, cbMultiByte=42, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 42 [0096.824] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x109f60, cbMultiByte=42, lpWideCharStr=0x244f0b0, cchWideChar=42 | out: lpWideCharStr="SELECT * FROM Win32_ComputerSystemProduct") returned 42 [0096.824] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0xf5950 [0096.824] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e1b258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0096.824] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e1b258, cbMultiByte=4, lpWideCharStr=0x244f100, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0096.824] IWbemServices:ExecQuery (in: This=0x125390, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystemProduct", lFlags=48, pCtx=0x0, ppEnum=0x244f1d8 | out: ppEnum=0x244f1d8*=0x12c310) returned 0x0 [0096.829] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5950 | out: hHeap=0xc0000) returned 1 [0096.829] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5cf0 | out: hHeap=0xc0000) returned 1 [0096.829] IEnumWbemClassObject:Next (in: This=0x12c310, lTimeout=-1, uCount=0x1, apObjects=0x244f1e0, puReturned=0x244f2f8 | out: apObjects=0x244f1e0*=0x12e090, puReturned=0x244f2f8*=0x1) returned 0x0 [0097.614] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x244f330, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0097.615] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x244f330, cbMultiByte=4, lpWideCharStr=0x244f0f8, cchWideChar=4 | out: lpWideCharStr="UUID") returned 4 [0097.615] IWbemClassObject:Get (in: This=0x12e090, wszName="UUID", lFlags=0, pVal=0x244f280*(varType=0x0, wReserved1=0x10, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x244f280*(varType=0x8, wReserved1=0x10, wReserved2=0x0, wReserved3=0x0, varVal1="4C4C4544-0050-3710-8058-CAC04F59344A", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0097.615] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x50) returned 0x1095a0 [0097.615] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4C4C4544-0050-3710-8058-CAC04F59344A", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0097.615] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x30) returned 0x121b70 [0097.615] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4C4C4544-0050-3710-8058-CAC04F59344A", cchWideChar=36, lpMultiByteStr=0x121b70, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="4C4C4544-0050-3710-8058-CAC04F59344A", lpUsedDefaultChar=0x0) returned 36 [0097.615] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x1095a0 | out: hHeap=0xc0000) returned 1 [0097.615] IUnknown:Release (This=0x12e090) returned 0x0 [0097.615] WbemLocator:IUnknown:Release (This=0x125390) returned 0x0 [0097.616] WbemLocator:IUnknown:Release (This=0xf5c90) [0097.617] WbemLocator:IUnknown:Release (This=0xf5c90) returned 0x0 [0097.617] IUnknown:Release (This=0x12c310) returned 0x0 [0097.621] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x109f60 | out: hHeap=0xc0000) returned 1 [0097.636] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x30) returned 0x109f60 [0098.633] GetLastError () returned 0x0 [0098.807] SetLastError (dwErrCode=0x0) [0099.188] GetLastError () returned 0x0 [0099.188] SetLastError (dwErrCode=0x0) [0099.188] GetLastError () returned 0x0 [0099.189] SetLastError (dwErrCode=0x0) [0099.189] GetLastError () returned 0x0 [0099.189] SetLastError (dwErrCode=0x0) [0099.189] GetLastError () returned 0x0 [0099.189] SetLastError (dwErrCode=0x0) [0099.189] GetLastError () returned 0x0 [0099.189] SetLastError (dwErrCode=0x0) [0099.189] GetLastError () returned 0x0 [0099.189] SetLastError (dwErrCode=0x0) [0099.189] GetLastError () returned 0x0 [0099.189] SetLastError (dwErrCode=0x0) [0099.189] GetLastError () returned 0x0 [0099.189] SetLastError (dwErrCode=0x0) [0099.189] GetLastError () returned 0x0 [0099.189] SetLastError (dwErrCode=0x0) [0099.189] GetLastError () returned 0x0 [0099.189] SetLastError (dwErrCode=0x0) [0099.189] GetLastError () returned 0x0 [0099.189] SetLastError (dwErrCode=0x0) [0099.189] GetLastError () returned 0x0 [0099.189] SetLastError (dwErrCode=0x0) [0099.189] GetLastError () returned 0x0 [0099.189] SetLastError (dwErrCode=0x0) [0099.189] GetLastError () returned 0x0 [0099.189] SetLastError (dwErrCode=0x0) [0099.189] GetLastError () returned 0x0 [0099.189] SetLastError (dwErrCode=0x0) [0099.190] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x30) returned 0x121b30 [0099.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x121b30, cbMultiByte=32, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 32 [0099.190] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x50) returned 0x1092a0 [0099.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x121b30, cbMultiByte=32, lpWideCharStr=0x1092a0, cchWideChar=32 | out: lpWideCharStr="aa360b8ffe2aca5f0f5c1f9ffd6f6a58") returned 32 [0099.190] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="aa360b8ffe2aca5f0f5c1f9ffd6f6a58") returned 0x180 [0099.190] GetLastError () returned 0x0 [0099.191] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x1092a0 | out: hHeap=0xc0000) returned 1 [0099.191] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x28) returned 0x10dc10 [0099.191] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1d33580, phModule=0x10dc28 | out: phModule=0x10dc28*=0x1d20000) returned 1 [0099.191] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x1dcbd64, lpParameter=0x10dc10, dwCreationFlags=0x0, lpThreadId=0x244f370 | out: lpThreadId=0x244f370*=0xde4) returned 0x184 [0099.192] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0x12af00 [0099.192] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0x12ae70 [0099.192] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x30) returned 0x121830 [0099.192] CoCreateInstance (in: rclsid=0x1e057e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1e057f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x244f1d0 | out: ppv=0x244f1d0*=0xf5cf0) returned 0x0 [0099.192] WbemLocator:IWbemLocator:ConnectServer (in: This=0xf5cf0, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x244f1c8 | out: ppNamespace=0x244f1c8*=0x125420) returned 0x0 [0100.402] CoSetProxyBlanket (pProxy=0x125420, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0100.402] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0xf5d10 [0100.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x121830, cbMultiByte=37, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 37 [0100.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x121830, cbMultiByte=37, lpWideCharStr=0x244f0c0, cchWideChar=37 | out: lpWideCharStr="SELECT * FROM Win32_OperatingSystem ") returned 37 [0100.402] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0xf5c50 [0100.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e1b258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0100.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e1b258, cbMultiByte=4, lpWideCharStr=0x244f100, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0100.403] IWbemServices:ExecQuery (in: This=0x125420, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_OperatingSystem ", lFlags=48, pCtx=0x0, ppEnum=0x244f1d8 | out: ppEnum=0x244f1d8*=0x129bb0) returned 0x0 [0100.405] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5c50 | out: hHeap=0xc0000) returned 1 [0100.405] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5d10 | out: hHeap=0xc0000) returned 1 [0100.405] IEnumWbemClassObject:Next (in: This=0x129bb0, lTimeout=-1, uCount=0x1, apObjects=0x244f1e0, puReturned=0x244f2f8 | out: apObjects=0x244f1e0*=0x1341f0, puReturned=0x244f2f8*=0x1) returned 0x0 [0101.409] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x244f330, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0101.725] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x244f330, cbMultiByte=7, lpWideCharStr=0x244f0f8, cchWideChar=7 | out: lpWideCharStr="Caption") returned 7 [0102.431] IWbemClassObject:Get (in: This=0x1341f0, wszName="Caption", lFlags=0, pVal=0x244f280*(varType=0x0, wReserved1=0x12, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x244f280*(varType=0x8, wReserved1=0x12, wReserved2=0x0, wReserved3=0x0, varVal1="Microsoft Windows 7 Professional ", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0102.846] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x50) returned 0x1096c0 [0102.846] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Microsoft Windows 7 Professional ", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0103.168] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x30) returned 0x139710 [0103.695] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Microsoft Windows 7 Professional ", cchWideChar=33, lpMultiByteStr=0x139710, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows 7 Professional ", lpUsedDefaultChar=0x0) returned 33 [0103.696] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x1096c0 | out: hHeap=0xc0000) returned 1 [0103.696] IUnknown:Release (This=0x1341f0) [0103.696] IUnknown:Release (This=0x1341f0) returned 0x0 [0103.696] WbemLocator:IUnknown:Release (This=0x125420) [0103.696] WbemLocator:IUnknown:Release (This=0x125420) returned 0x0 [0103.927] WbemLocator:IUnknown:Release (This=0xf5cf0) [0103.927] WbemLocator:IUnknown:Release (This=0xf5cf0) returned 0x0 [0103.928] IUnknown:Release (This=0x129bb0) [0103.928] IUnknown:Release (This=0x129bb0) returned 0x0 [0103.956] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x121830 | out: hHeap=0xc0000) returned 1 [0104.535] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0x12af30 [0104.535] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x47) returned 0x12b8d0 [0104.535] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x139710 | out: hHeap=0xc0000) returned 1 [0104.536] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12af30 | out: hHeap=0xc0000) returned 1 [0104.536] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x30) returned 0x121830 [0104.536] CoCreateInstance (in: rclsid=0x1e057e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1e057f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x244f1d0 | out: ppv=0x244f1d0*=0xf5d10) returned 0x0 [0104.536] WbemLocator:IWbemLocator:ConnectServer (in: This=0xf5d10, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x244f1c8 | out: ppNamespace=0x244f1c8*=0x125420) returned 0x0 [0104.919] CoSetProxyBlanket (pProxy=0x125420, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0104.919] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0xf5c50 [0104.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x121830, cbMultiByte=36, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 36 [0104.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x121830, cbMultiByte=36, lpWideCharStr=0x244f0c0, cchWideChar=36 | out: lpWideCharStr="SELECT * FROM Win32_ComputerSystem ") returned 36 [0104.945] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0xf5cf0 [0104.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e1b258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0104.945] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e1b258, cbMultiByte=4, lpWideCharStr=0x244f100, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0104.945] IWbemServices:ExecQuery (in: This=0x125420, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystem ", lFlags=48, pCtx=0x0, ppEnum=0x244f1d8 | out: ppEnum=0x244f1d8*=0x129bb0) returned 0x0 [0105.133] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5cf0 | out: hHeap=0xc0000) returned 1 [0105.133] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5c50 | out: hHeap=0xc0000) returned 1 [0105.133] IEnumWbemClassObject:Next (in: This=0x129bb0, lTimeout=-1, uCount=0x1, apObjects=0x244f1e0, puReturned=0x244f2f8 | out: apObjects=0x244f1e0*=0x131020, puReturned=0x244f2f8*=0x1) returned 0x0 [0105.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x244f330, cbMultiByte=6, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 6 [0105.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x244f330, cbMultiByte=6, lpWideCharStr=0x244f0f8, cchWideChar=6 | out: lpWideCharStr="Domain") returned 6 [0105.748] IWbemClassObject:Get (in: This=0x131020, wszName="Domain", lFlags=0, pVal=0x244f280*(varType=0x0, wReserved1=0x12, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x244f280*(varType=0x8, wReserved1=0x12, wReserved2=0x0, wReserved3=0x0, varVal1="WORKGROUP", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0105.748] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0x12af30 [0105.748] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="WORKGROUP", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0105.748] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="WORKGROUP", cchWideChar=9, lpMultiByteStr=0x244f118, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WORKGROUP", lpUsedDefaultChar=0x0) returned 9 [0105.749] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12af30 | out: hHeap=0xc0000) returned 1 [0105.749] IUnknown:Release (This=0x131020) returned 0x0 [0105.749] WbemLocator:IUnknown:Release (This=0x125420) returned 0x0 [0105.749] WbemLocator:IUnknown:Release (This=0xf5d10) returned 0x0 [0105.749] IUnknown:Release (This=0x129bb0) returned 0x0 [0105.751] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x121830 | out: hHeap=0xc0000) returned 1 [0105.751] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0x12af30 [0105.751] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x6a) returned 0xec1b0 [0105.751] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12b8d0 | out: hHeap=0xc0000) returned 1 [0105.752] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12af30 | out: hHeap=0xc0000) returned 1 [0105.752] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x70) returned 0xec2b0 [0106.054] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x28) returned 0x12af30 [0106.440] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x38) returned 0x121830 [0107.188] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xb0) returned 0x129ad0 [0107.202] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x2, Condition=0x3) returned 0x8000000000000018 [0107.202] VerifyVersionInfoW (in: lpVersionInformation=0x244f110, dwTypeMask=0x2, dwlConditionMask=0x8000000000000018 | out: lpVersionInformation=0x244f110) returned 1 [0107.202] CreateIoCompletionPort (FileHandle=0xffffffffffffffff, ExistingCompletionPort=0x0, CompletionKey=0x0, NumberOfConcurrentThreads=0xffffffff) returned 0x1a4 [0107.403] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x48) returned 0x12b8d0 [0107.403] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x48) returned 0x12b920 [0107.403] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x48) returned 0x12b970 [0107.403] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x48) returned 0x12b9c0 [0107.404] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x48) returned 0x12ba10 [0107.404] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x48) returned 0x12ba60 [0107.404] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x48) returned 0x12bab0 [0107.404] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x48) returned 0x12bb00 [0107.416] GetLastError () returned 0x0 [0107.429] SetLastError (dwErrCode=0x0) [0107.429] Sleep (dwMilliseconds=0x7148) [0119.543] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0x12b080 [0119.796] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xa90) returned 0x131020 [0120.523] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x80) returned 0x1253b0 [0120.841] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x301e8) returned 0x13a6a0 [0120.883] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x90) returned 0x11b6a0 [0121.088] RtlInitializeConditionVariable () returned 0x772b84f0 [0121.088] GetCurrentThreadId () returned 0xae4 [0121.088] GetCurrentThreadId () returned 0xae4 [0121.101] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x8) returned 0x10b400 [0121.180] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x60) returned 0x12c650 [0121.181] CreateWaitableTimerW (lpTimerAttributes=0x0, bManualReset=0, lpTimerName=0x0) returned 0x1a8 [0121.181] SetWaitableTimer (hTimer=0x1a8, lpDueTime=0x244ea20, lPeriod=300000, pfnCompletionRoutine=0x0, lpArgToCompletionRoutine=0x0, fResume=0) returned 1 [0121.181] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0xf5d10 [0121.181] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0x12af90 [0121.181] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x1ac [0121.181] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x1b0 [0121.181] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x28) returned 0x131b90 [0121.181] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x1d37b04, phModule=0x131ba8 | out: phModule=0x131ba8*=0x1d20000) returned 1 [0121.182] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x10000, lpStartAddress=0x1dcbd64, lpParameter=0x131b90, dwCreationFlags=0x0, lpThreadId=0x244e940 | out: lpThreadId=0x244e940*=0x9c0) returned 0x1b4 [0121.183] WaitForSingleObject (hHandle=0x1ac, dwMilliseconds=0xffffffff) returned 0x0 [0121.659] CloseHandle (hObject=0x1ac) returned 1 [0121.672] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x68) returned 0x12c570 [0121.672] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xb0) returned 0x12d380 [0121.800] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x2, Condition=0x3) returned 0x8000000000000018 [0121.800] VerifyVersionInfoW (in: lpVersionInformation=0x244eb00, dwTypeMask=0x2, dwlConditionMask=0x8000000000000018 | out: lpVersionInformation=0x244eb00) returned 1 [0121.800] CreateIoCompletionPort (FileHandle=0xffffffffffffffff, ExistingCompletionPort=0x0, CompletionKey=0x0, NumberOfConcurrentThreads=0xffffffff) returned 0x1ac [0121.800] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0xf5c50 [0121.813] WSASetLastError (iError=0) [0121.814] getaddrinfo (in: pNodeName="205.29.103.127", pServiceName="281", pHints=0x244ec40*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x244ebd0 | out: ppResult=0x244ebd0*=0x1fa55e0*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1fa5620*(sa_family=2, sin_port=0x119, sin_addr="205.29.103.127"), ai_next=0x0)) returned 0 [0121.814] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0xf5950 [0121.827] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0xf5cf0 [0121.827] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x60) returned 0x12c730 [0122.010] FreeAddrInfoW (pAddrInfo=0x1fa55e0*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1fa5620*(sa_family=2, sin_port=0x119, sin_addr="205.29.103.127"), ai_next=0x0)) [0122.010] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x1c0 [0122.270] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x1a4, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) [0122.270] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x1a4, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x1a4 [0122.270] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c990 [0122.271] connect (s=0x1c0, name=0x244eadc*(sa_family=2, sin_port=0x119, sin_addr="205.29.103.127"), namelen=16) [0122.271] connect (s=0x1c0, name=0x244eadc*(sa_family=2, sin_port=0x119, sin_addr="205.29.103.127"), namelen=16) returned -1 [0143.636] WSAGetLastError () [0143.636] WSAGetLastError () returned 10060 [0143.855] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x274c, dwLanguageId=0x400, lpBuffer=0x244eb10, nSize=0x0, Arguments=0x0 | out: lpBuffer="텠\x16") returned 0xb9 [0143.952] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 186 [0143.979] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xc0) returned 0x16d2e0 [0144.042] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", cchWideChar=-1, lpMultiByteStr=0x16d2e0, cbMultiByte=186, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", lpUsedDefaultChar=0x0) returned 186 [0144.042] LocalFree (hMem=0x16d160) returned 0x0 [0144.184] GetLastError () returned 0x274c [0144.399] SetLastError (dwErrCode=0x274c) [0144.487] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x11f) returned 0x16d160 [0144.503] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16d2e0 | out: hHeap=0xc0000) returned 1 [0144.503] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xd0) returned 0x16d290 [0144.504] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16d160 | out: hHeap=0xc0000) returned 1 [0144.504] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xcf) returned 0x16d160 [0144.505] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16d290 | out: hHeap=0xc0000) returned 1 [0144.611] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xcf) returned 0x16d240 [0144.624] RtlPcToFileHeader (in: PcValue=0x1e51060, BaseOfImage=0x244eba0 | out: BaseOfImage=0x244eba0*=0x1d20000) returned 0x1d20000 [0144.624] RaiseException (dwExceptionCode=0xe06d7363, dwExceptionFlags=0x1, nNumberOfArguments=0x4, lpArguments=0x244eb60) [0144.639] GetLastError () returned 0x274c [0144.639] SetLastError (dwErrCode=0x274c) [0144.640] GetLastError () returned 0x274c [0144.640] SetLastError (dwErrCode=0x274c) [0144.640] GetLastError () returned 0x274c [0144.640] SetLastError (dwErrCode=0x274c) [0144.640] GetLastError () returned 0x274c [0144.640] SetLastError (dwErrCode=0x274c) [0144.640] GetLastError () returned 0x274c [0144.640] SetLastError (dwErrCode=0x274c) [0144.640] GetLastError () returned 0x274c [0144.640] SetLastError (dwErrCode=0x274c) [0144.640] GetLastError () returned 0x274c [0144.640] SetLastError (dwErrCode=0x274c) [0144.640] GetLastError () returned 0x274c [0144.640] SetLastError (dwErrCode=0x274c) [0144.640] GetLastError () returned 0x274c [0144.640] SetLastError (dwErrCode=0x274c) [0144.641] GetLastError () returned 0x274c [0144.641] SetLastError (dwErrCode=0x274c) [0144.641] GetLastError () returned 0x274c [0144.641] SetLastError (dwErrCode=0x274c) [0144.641] GetLastError () returned 0x274c [0144.641] SetLastError (dwErrCode=0x274c) [0144.641] GetLastError () returned 0x274c [0144.641] SetLastError (dwErrCode=0x274c) [0144.641] GetLastError () returned 0x274c [0144.641] SetLastError (dwErrCode=0x274c) [0144.641] GetLastError () returned 0x274c [0144.641] SetLastError (dwErrCode=0x274c) [0144.641] GetLastError () returned 0x274c [0144.641] SetLastError (dwErrCode=0x274c) [0144.641] GetLastError () returned 0x274c [0144.641] SetLastError (dwErrCode=0x274c) [0144.641] GetLastError () returned 0x274c [0144.642] SetLastError (dwErrCode=0x274c) [0144.642] GetLastError () returned 0x274c [0144.642] SetLastError (dwErrCode=0x274c) [0144.642] GetLastError () returned 0x274c [0144.642] SetLastError (dwErrCode=0x274c) [0144.642] GetLastError () returned 0x274c [0144.642] SetLastError (dwErrCode=0x274c) [0144.642] GetLastError () returned 0x274c [0144.642] SetLastError (dwErrCode=0x274c) [0144.642] GetLastError () returned 0x274c [0144.642] SetLastError (dwErrCode=0x274c) [0144.642] GetLastError () returned 0x274c [0144.642] SetLastError (dwErrCode=0x274c) [0144.642] GetLastError () returned 0x274c [0144.642] SetLastError (dwErrCode=0x274c) [0144.642] GetLastError () returned 0x274c [0144.642] SetLastError (dwErrCode=0x274c) [0144.642] GetLastError () returned 0x274c [0144.642] SetLastError (dwErrCode=0x274c) [0144.643] GetLastError () returned 0x274c [0144.643] SetLastError (dwErrCode=0x274c) [0144.643] GetLastError () returned 0x274c [0144.643] SetLastError (dwErrCode=0x274c) [0144.643] GetLastError () returned 0x274c [0144.643] SetLastError (dwErrCode=0x274c) [0144.643] GetLastError () returned 0x274c [0144.643] SetLastError (dwErrCode=0x274c) [0144.643] GetLastError () returned 0x274c [0144.643] SetLastError (dwErrCode=0x274c) [0144.643] GetLastError () returned 0x274c [0144.643] SetLastError (dwErrCode=0x274c) [0144.643] GetLastError () returned 0x274c [0144.643] SetLastError (dwErrCode=0x274c) [0144.643] GetLastError () returned 0x274c [0144.643] SetLastError (dwErrCode=0x274c) [0144.643] GetLastError () returned 0x274c [0144.644] SetLastError (dwErrCode=0x274c) [0144.644] GetLastError () returned 0x274c [0144.644] SetLastError (dwErrCode=0x274c) [0144.644] GetLastError () returned 0x274c [0144.644] SetLastError (dwErrCode=0x274c) [0144.644] GetLastError () returned 0x274c [0144.644] SetLastError (dwErrCode=0x274c) [0144.644] GetLastError () returned 0x274c [0144.644] SetLastError (dwErrCode=0x274c) [0144.644] GetLastError () returned 0x274c [0144.644] SetLastError (dwErrCode=0x274c) [0144.644] GetLastError () returned 0x274c [0144.644] SetLastError (dwErrCode=0x274c) [0144.644] GetLastError () returned 0x274c [0144.644] SetLastError (dwErrCode=0x274c) [0144.644] RtlUnwindEx (TargetFrame=0x244ed40, TargetIp=0x1d47455, ExceptionRecord=0x244d1e0, ReturnValue=0x0, ContextRecord=0x244d280, HistoryTable=0x244df70) [0144.688] GetLastError () returned 0x274c [0144.688] SetLastError (dwErrCode=0x274c) [0144.688] GetLastError () returned 0x274c [0144.688] SetLastError (dwErrCode=0x274c) [0144.688] GetLastError () returned 0x274c [0144.689] SetLastError (dwErrCode=0x274c) [0144.689] GetLastError () returned 0x274c [0144.689] SetLastError (dwErrCode=0x274c) [0144.689] GetLastError () returned 0x274c [0144.689] SetLastError (dwErrCode=0x274c) [0144.689] GetLastError () returned 0x274c [0144.689] SetLastError (dwErrCode=0x274c) [0144.689] GetLastError () returned 0x274c [0144.689] SetLastError (dwErrCode=0x274c) [0144.689] GetLastError () returned 0x274c [0144.689] SetLastError (dwErrCode=0x274c) [0144.689] GetLastError () returned 0x274c [0144.689] SetLastError (dwErrCode=0x274c) [0144.689] GetLastError () returned 0x274c [0144.689] SetLastError (dwErrCode=0x274c) [0144.689] GetLastError () returned 0x274c [0144.689] SetLastError (dwErrCode=0x274c) [0144.689] GetLastError () returned 0x274c [0144.689] SetLastError (dwErrCode=0x274c) [0144.689] GetLastError () returned 0x274c [0144.689] SetLastError (dwErrCode=0x274c) [0144.689] GetLastError () returned 0x274c [0144.690] SetLastError (dwErrCode=0x274c) [0144.690] GetLastError () returned 0x274c [0144.690] SetLastError (dwErrCode=0x274c) [0144.690] GetLastError () returned 0x274c [0144.690] SetLastError (dwErrCode=0x274c) [0144.690] GetLastError () returned 0x274c [0144.690] SetLastError (dwErrCode=0x274c) [0144.690] GetLastError () returned 0x274c [0144.690] SetLastError (dwErrCode=0x274c) [0144.690] GetLastError () returned 0x274c [0144.690] SetLastError (dwErrCode=0x274c) [0144.690] GetLastError () returned 0x274c [0144.690] SetLastError (dwErrCode=0x274c) [0144.690] GetLastError () returned 0x274c [0144.690] SetLastError (dwErrCode=0x274c) [0144.704] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16d160 | out: hHeap=0xc0000) returned 1 [0144.705] GetLastError () returned 0x274c [0144.705] SetLastError (dwErrCode=0x274c) [0144.705] GetLastError () returned 0x274c [0144.705] SetLastError (dwErrCode=0x274c) [0144.705] GetLastError () returned 0x274c [0144.705] SetLastError (dwErrCode=0x274c) [0144.705] GetLastError () returned 0x274c [0144.706] SetLastError (dwErrCode=0x274c) [0144.706] GetLastError () returned 0x274c [0144.706] SetLastError (dwErrCode=0x274c) [0144.706] GetLastError () returned 0x274c [0144.706] SetLastError (dwErrCode=0x274c) [0144.706] GetLastError () returned 0x274c [0144.706] SetLastError (dwErrCode=0x274c) [0144.706] GetLastError () returned 0x274c [0144.706] SetLastError (dwErrCode=0x274c) [0144.706] GetLastError () returned 0x274c [0144.706] SetLastError (dwErrCode=0x274c) [0144.706] GetLastError () returned 0x274c [0144.706] SetLastError (dwErrCode=0x274c) [0144.706] GetLastError () returned 0x274c [0144.706] SetLastError (dwErrCode=0x274c) [0144.706] GetLastError () returned 0x274c [0144.706] SetLastError (dwErrCode=0x274c) [0144.706] GetLastError () returned 0x274c [0144.706] SetLastError (dwErrCode=0x274c) [0144.706] GetLastError () returned 0x274c [0144.706] SetLastError (dwErrCode=0x274c) [0144.706] GetLastError () returned 0x274c [0144.706] SetLastError (dwErrCode=0x274c) [0144.706] GetLastError () returned 0x274c [0144.706] SetLastError (dwErrCode=0x274c) [0144.779] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12c730 | out: hHeap=0xc0000) returned 1 [0144.779] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5950 | out: hHeap=0xc0000) returned 1 [0144.794] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5cf0 | out: hHeap=0xc0000) returned 1 [0144.794] GetLastError () returned 0x274c [0144.794] SetLastError (dwErrCode=0x274c) [0144.794] GetLastError () returned 0x274c [0144.794] SetLastError (dwErrCode=0x274c) [0144.794] GetLastError () returned 0x274c [0144.794] SetLastError (dwErrCode=0x274c) [0144.794] GetLastError () returned 0x274c [0144.794] SetLastError (dwErrCode=0x274c) [0144.794] GetLastError () returned 0x274c [0144.794] SetLastError (dwErrCode=0x274c) [0144.794] GetLastError () returned 0x274c [0144.795] SetLastError (dwErrCode=0x274c) [0144.795] GetLastError () returned 0x274c [0144.795] SetLastError (dwErrCode=0x274c) [0144.795] GetLastError () returned 0x274c [0144.795] SetLastError (dwErrCode=0x274c) [0144.807] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xf5c50 | out: hHeap=0xc0000) returned 1 [0144.807] GetLastError () returned 0x274c [0144.808] SetLastError (dwErrCode=0x274c) [0144.808] GetLastError () returned 0x274c [0144.808] SetLastError (dwErrCode=0x274c) [0144.808] GetLastError () returned 0x274c [0144.808] SetLastError (dwErrCode=0x274c) [0144.808] GetLastError () returned 0x274c [0144.808] SetLastError (dwErrCode=0x274c) [0144.812] GetLastError () returned 0x274c [0144.812] SetLastError (dwErrCode=0x274c) [0144.812] GetLastError () returned 0x274c [0144.812] SetLastError (dwErrCode=0x274c) [0144.812] GetLastError () returned 0x274c [0144.812] SetLastError (dwErrCode=0x274c) [0144.812] GetLastError () returned 0x274c [0144.812] SetLastError (dwErrCode=0x274c) [0144.812] GetLastError () returned 0x274c [0144.813] SetLastError (dwErrCode=0x274c) [0144.813] GetLastError () returned 0x274c [0144.813] SetLastError (dwErrCode=0x274c) [0144.813] GetLastError () returned 0x274c [0144.813] SetLastError (dwErrCode=0x274c) [0144.813] GetLastError () returned 0x274c [0144.813] SetLastError (dwErrCode=0x274c) [0144.813] GetLastError () returned 0x274c [0144.813] SetLastError (dwErrCode=0x274c) [0144.813] GetLastError () returned 0x274c [0144.813] SetLastError (dwErrCode=0x274c) [0144.813] GetLastError () returned 0x274c [0144.813] SetLastError (dwErrCode=0x274c) [0144.813] GetLastError () returned 0x274c [0144.813] SetLastError (dwErrCode=0x274c) [0144.813] GetLastError () returned 0x274c [0144.813] SetLastError (dwErrCode=0x274c) [0144.813] GetLastError () returned 0x274c [0144.813] SetLastError (dwErrCode=0x274c) [0144.813] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xd0) returned 0x16d160 [0144.814] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16d160 | out: hHeap=0xc0000) returned 1 [0144.814] GetLastError () returned 0x274c [0144.814] SetLastError (dwErrCode=0x274c) [0144.814] GetLastError () returned 0x274c [0144.814] SetLastError (dwErrCode=0x274c) [0144.814] GetLastError () returned 0x274c [0144.814] SetLastError (dwErrCode=0x274c) [0144.814] GetLastError () returned 0x274c [0144.814] SetLastError (dwErrCode=0x274c) [0144.892] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16d240 | out: hHeap=0xc0000) returned 1 [0144.892] GetLastError () returned 0x274c [0144.893] SetLastError (dwErrCode=0x274c) [0144.893] GetLastError () returned 0x274c [0144.893] SetLastError (dwErrCode=0x274c) [0144.922] GetCurrentThreadId () returned 0xae4 [0145.012] GetCurrentThreadId () returned 0xae4 [0145.027] RtlWakeAllConditionVariable () returned 0x772a00b0 [0145.027] FreeContextBuffer (in: pvContextBuffer=0x0 | out: pvContextBuffer=0x0) returned 0x0 [0145.027] FreeContextBuffer (in: pvContextBuffer=0x0 | out: pvContextBuffer=0x0) returned 0x0 [0145.032] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x13a6a0 | out: hHeap=0xc0000) returned 1 [0145.032] closesocket (s=0x1c0) returned 0 [0145.033] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c990 | out: hHeap=0xc0000) returned 1 [0145.034] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x131020 | out: hHeap=0xc0000) returned 1 [0145.035] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12b080 | out: hHeap=0xc0000) returned 1 [0145.035] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0x12b080 [0145.128] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xa90) returned 0x131020 [0145.330] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x301e8) returned 0x13a6a0 [0145.404] GetCurrentThreadId () returned 0xae4 [0145.404] GetCurrentThreadId () returned 0xae4 [0145.431] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c990 [0145.518] WSASetLastError (iError=0) [0145.518] WSASetLastError (iError=0) [0145.518] getaddrinfo (pNodeName="68.14.122.249", pServiceName="399", pHints=0x244ec40*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x244ebd0) [0145.518] getaddrinfo (in: pNodeName="68.14.122.249", pServiceName="399", pHints=0x244ec40*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x244ebd0 | out: ppResult=0x244ebd0*=0x1fa5790*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1fa57d0*(sa_family=2, sin_port=0x18f, sin_addr="68.14.122.249"), ai_next=0x0)) returned 0 [0145.519] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c9d0 [0145.519] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c9f0 [0145.519] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x60) returned 0x12c730 [0145.685] FreeAddrInfoW (pAddrInfo=0x1fa5790*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1fa57d0*(sa_family=2, sin_port=0x18f, sin_addr="68.14.122.249"), ai_next=0x0)) [0145.685] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x1c0 [0145.686] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x1a4, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x1a4 [0145.686] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16ca10 [0145.686] connect (s=0x1c0, name=0x244eadc*(sa_family=2, sin_port=0x18f, sin_addr="68.14.122.249"), namelen=16) returned -1 [0167.102] WSAGetLastError () [0167.102] WSAGetLastError () returned 10060 [0167.288] FormatMessageW (dwFlags=0x1300, lpSource=0x0, dwMessageId=0x274c, dwLanguageId=0x400, lpBuffer=0x244eb10, nSize=0x0, Arguments=0x0) [0167.288] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x274c, dwLanguageId=0x400, lpBuffer=0x244eb10, nSize=0x0, Arguments=0x0 | out: lpBuffer="\x16") returned 0xb9 [0167.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 186 [0167.405] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xc0) returned 0xfb8e0 [0167.439] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", cchWideChar=-1, lpMultiByteStr=0xfb8e0, cbMultiByte=186, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", lpUsedDefaultChar=0x0) returned 186 [0167.439] LocalFree (hMem=0x16e1b0) returned 0x0 [0167.533] GetLastError () returned 0x274c [0167.549] SetLastError (dwErrCode=0x274c) [0167.604] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x11f) returned 0x16e1b0 [0167.621] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfb8e0 | out: hHeap=0xc0000) returned 1 [0167.621] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xd0) returned 0xfb8e0 [0167.622] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16e1b0 | out: hHeap=0xc0000) returned 1 [0167.622] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xcf) returned 0x16e1b0 [0167.622] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfb8e0 | out: hHeap=0xc0000) returned 1 [0167.656] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xcf) returned 0xfb8e0 [0167.676] RtlPcToFileHeader (PcValue=0x1e51060, BaseOfImage=0x244eba0) [0167.676] RtlPcToFileHeader (in: PcValue=0x1e51060, BaseOfImage=0x244eba0 | out: BaseOfImage=0x244eba0*=0x1d20000) returned 0x1d20000 [0167.676] RaiseException (dwExceptionCode=0xe06d7363, dwExceptionFlags=0x1, nNumberOfArguments=0x4, lpArguments=0x244eb60) [0167.693] GetLastError () returned 0x274c [0167.694] SetLastError (dwErrCode=0x274c) [0167.694] GetLastError () returned 0x274c [0167.694] SetLastError (dwErrCode=0x274c) [0167.694] GetLastError () returned 0x274c [0167.694] SetLastError (dwErrCode=0x274c) [0167.694] GetLastError () returned 0x274c [0167.694] SetLastError (dwErrCode=0x274c) [0167.697] GetLastError () returned 0x274c [0167.697] SetLastError (dwErrCode=0x274c) [0167.697] GetLastError () returned 0x274c [0167.697] SetLastError (dwErrCode=0x274c) [0167.697] GetLastError () returned 0x274c [0167.697] SetLastError (dwErrCode=0x274c) [0167.697] GetLastError () returned 0x274c [0167.697] SetLastError (dwErrCode=0x274c) [0167.698] GetLastError () returned 0x274c [0167.698] SetLastError (dwErrCode=0x274c) [0167.698] GetLastError () returned 0x274c [0167.698] SetLastError (dwErrCode=0x274c) [0167.698] GetLastError () returned 0x274c [0167.698] SetLastError (dwErrCode=0x274c) [0167.698] GetLastError () returned 0x274c [0167.698] SetLastError (dwErrCode=0x274c) [0167.698] GetLastError () returned 0x274c [0167.698] SetLastError (dwErrCode=0x274c) [0167.698] GetLastError () returned 0x274c [0167.698] SetLastError (dwErrCode=0x274c) [0167.698] GetLastError () returned 0x274c [0167.698] SetLastError (dwErrCode=0x274c) [0167.698] GetLastError () returned 0x274c [0167.698] SetLastError (dwErrCode=0x274c) [0167.698] GetLastError () returned 0x274c [0167.698] SetLastError (dwErrCode=0x274c) [0167.698] GetLastError () returned 0x274c [0167.698] SetLastError (dwErrCode=0x274c) [0167.698] GetLastError () returned 0x274c [0167.698] SetLastError (dwErrCode=0x274c) [0167.698] GetLastError () returned 0x274c [0167.698] SetLastError (dwErrCode=0x274c) [0167.699] GetLastError () returned 0x274c [0167.699] SetLastError (dwErrCode=0x274c) [0167.699] GetLastError () returned 0x274c [0167.699] SetLastError (dwErrCode=0x274c) [0167.699] GetLastError () returned 0x274c [0167.699] SetLastError (dwErrCode=0x274c) [0167.699] GetLastError () returned 0x274c [0167.699] SetLastError (dwErrCode=0x274c) [0167.699] GetLastError () returned 0x274c [0167.699] SetLastError (dwErrCode=0x274c) [0167.699] GetLastError () returned 0x274c [0167.699] SetLastError (dwErrCode=0x274c) [0167.699] GetLastError () returned 0x274c [0167.699] SetLastError (dwErrCode=0x274c) [0167.699] GetLastError () returned 0x274c [0167.699] SetLastError (dwErrCode=0x274c) [0167.699] GetLastError () returned 0x274c [0167.699] SetLastError (dwErrCode=0x274c) [0167.699] GetLastError () returned 0x274c [0167.699] SetLastError (dwErrCode=0x274c) [0167.699] GetLastError () returned 0x274c [0167.699] SetLastError (dwErrCode=0x274c) [0167.700] GetLastError () returned 0x274c [0167.700] SetLastError (dwErrCode=0x274c) [0167.700] GetLastError () returned 0x274c [0167.700] SetLastError (dwErrCode=0x274c) [0167.700] GetLastError () returned 0x274c [0167.700] SetLastError (dwErrCode=0x274c) [0167.700] GetLastError () returned 0x274c [0167.700] SetLastError (dwErrCode=0x274c) [0167.700] GetLastError () returned 0x274c [0167.700] SetLastError (dwErrCode=0x274c) [0167.700] GetLastError () returned 0x274c [0167.700] SetLastError (dwErrCode=0x274c) [0167.700] GetLastError () returned 0x274c [0167.700] SetLastError (dwErrCode=0x274c) [0167.700] GetLastError () returned 0x274c [0167.700] SetLastError (dwErrCode=0x274c) [0167.700] GetLastError () returned 0x274c [0167.700] SetLastError (dwErrCode=0x274c) [0167.700] GetLastError () returned 0x274c [0167.700] SetLastError (dwErrCode=0x274c) [0167.701] GetLastError () returned 0x274c [0167.701] SetLastError (dwErrCode=0x274c) [0167.701] GetLastError () returned 0x274c [0167.701] SetLastError (dwErrCode=0x274c) [0167.701] RtlUnwindEx (TargetFrame=0x244ed40, TargetIp=0x1d47455, ExceptionRecord=0x244d1e0, ReturnValue=0x0, ContextRecord=0x244d280, HistoryTable=0x244df70) [0167.701] GetLastError () returned 0x274c [0167.701] SetLastError (dwErrCode=0x274c) [0167.701] GetLastError () returned 0x274c [0167.701] SetLastError (dwErrCode=0x274c) [0167.701] GetLastError () returned 0x274c [0167.701] SetLastError (dwErrCode=0x274c) [0167.701] GetLastError () returned 0x274c [0167.701] SetLastError (dwErrCode=0x274c) [0167.701] GetLastError () returned 0x274c [0167.701] SetLastError (dwErrCode=0x274c) [0167.701] GetLastError () returned 0x274c [0167.701] SetLastError (dwErrCode=0x274c) [0167.702] GetLastError () returned 0x274c [0167.702] SetLastError (dwErrCode=0x274c) [0167.702] GetLastError () returned 0x274c [0167.702] SetLastError (dwErrCode=0x274c) [0167.702] GetLastError () returned 0x274c [0167.702] SetLastError (dwErrCode=0x274c) [0167.702] GetLastError () returned 0x274c [0167.702] SetLastError (dwErrCode=0x274c) [0167.702] GetLastError () returned 0x274c [0167.702] SetLastError (dwErrCode=0x274c) [0167.702] GetLastError () returned 0x274c [0167.702] SetLastError (dwErrCode=0x274c) [0167.702] GetLastError () returned 0x274c [0167.702] SetLastError (dwErrCode=0x274c) [0167.702] GetLastError () returned 0x274c [0167.702] SetLastError (dwErrCode=0x274c) [0167.702] GetLastError () returned 0x274c [0167.702] SetLastError (dwErrCode=0x274c) [0167.702] GetLastError () returned 0x274c [0167.702] SetLastError (dwErrCode=0x274c) [0167.702] GetLastError () returned 0x274c [0167.702] SetLastError (dwErrCode=0x274c) [0167.702] GetLastError () returned 0x274c [0167.702] SetLastError (dwErrCode=0x274c) [0167.703] GetLastError () returned 0x274c [0167.703] SetLastError (dwErrCode=0x274c) [0167.703] GetLastError () returned 0x274c [0167.703] SetLastError (dwErrCode=0x274c) [0167.703] GetLastError () returned 0x274c [0167.703] SetLastError (dwErrCode=0x274c) [0167.721] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16e1b0 | out: hHeap=0xc0000) returned 1 [0167.721] GetLastError () returned 0x274c [0167.721] SetLastError (dwErrCode=0x274c) [0167.721] GetLastError () returned 0x274c [0167.721] SetLastError (dwErrCode=0x274c) [0167.721] GetLastError () returned 0x274c [0167.721] SetLastError (dwErrCode=0x274c) [0167.721] GetLastError () returned 0x274c [0167.721] SetLastError (dwErrCode=0x274c) [0167.721] GetLastError () returned 0x274c [0167.721] SetLastError (dwErrCode=0x274c) [0167.721] GetLastError () returned 0x274c [0167.721] SetLastError (dwErrCode=0x274c) [0167.721] GetLastError () returned 0x274c [0167.721] SetLastError (dwErrCode=0x274c) [0167.721] GetLastError () returned 0x274c [0167.721] SetLastError (dwErrCode=0x274c) [0167.721] GetLastError () returned 0x274c [0167.722] SetLastError (dwErrCode=0x274c) [0167.722] GetLastError () returned 0x274c [0167.722] SetLastError (dwErrCode=0x274c) [0167.722] GetLastError () returned 0x274c [0167.722] SetLastError (dwErrCode=0x274c) [0167.722] GetLastError () returned 0x274c [0167.722] SetLastError (dwErrCode=0x274c) [0167.722] GetLastError () returned 0x274c [0167.722] SetLastError (dwErrCode=0x274c) [0167.722] GetLastError () returned 0x274c [0167.722] SetLastError (dwErrCode=0x274c) [0167.722] GetLastError () returned 0x274c [0167.722] SetLastError (dwErrCode=0x274c) [0167.722] GetLastError () returned 0x274c [0167.722] SetLastError (dwErrCode=0x274c) [0167.763] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12c730 | out: hHeap=0xc0000) returned 1 [0167.763] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c9d0 | out: hHeap=0xc0000) returned 1 [0167.969] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c9f0 | out: hHeap=0xc0000) returned 1 [0167.970] GetLastError () returned 0x274c [0167.997] SetLastError (dwErrCode=0x274c) [0167.997] GetLastError () returned 0x274c [0167.997] SetLastError (dwErrCode=0x274c) [0167.997] GetLastError () returned 0x274c [0167.997] SetLastError (dwErrCode=0x274c) [0167.997] GetLastError () returned 0x274c [0167.997] SetLastError (dwErrCode=0x274c) [0167.997] GetLastError () returned 0x274c [0167.997] SetLastError (dwErrCode=0x274c) [0167.997] GetLastError () returned 0x274c [0167.997] SetLastError (dwErrCode=0x274c) [0167.997] GetLastError () returned 0x274c [0167.998] SetLastError (dwErrCode=0x274c) [0167.998] GetLastError () returned 0x274c [0167.998] SetLastError (dwErrCode=0x274c) [0168.015] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c990 | out: hHeap=0xc0000) returned 1 [0168.015] GetLastError () returned 0x274c [0168.015] SetLastError (dwErrCode=0x274c) [0168.015] GetLastError () returned 0x274c [0168.015] SetLastError (dwErrCode=0x274c) [0168.015] GetLastError () returned 0x274c [0168.015] SetLastError (dwErrCode=0x274c) [0168.015] GetLastError () returned 0x274c [0168.015] SetLastError (dwErrCode=0x274c) [0168.015] GetLastError () returned 0x274c [0168.015] SetLastError (dwErrCode=0x274c) [0168.016] GetLastError () returned 0x274c [0168.016] SetLastError (dwErrCode=0x274c) [0168.016] GetLastError () returned 0x274c [0168.016] SetLastError (dwErrCode=0x274c) [0168.016] GetLastError () returned 0x274c [0168.016] SetLastError (dwErrCode=0x274c) [0168.016] GetLastError () returned 0x274c [0168.016] SetLastError (dwErrCode=0x274c) [0168.016] GetLastError () returned 0x274c [0168.016] SetLastError (dwErrCode=0x274c) [0168.016] GetLastError () returned 0x274c [0168.016] SetLastError (dwErrCode=0x274c) [0168.016] GetLastError () returned 0x274c [0168.016] SetLastError (dwErrCode=0x274c) [0168.016] GetLastError () returned 0x274c [0168.016] SetLastError (dwErrCode=0x274c) [0168.016] GetLastError () returned 0x274c [0168.016] SetLastError (dwErrCode=0x274c) [0168.016] GetLastError () returned 0x274c [0168.016] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xd0) returned 0x16e1b0 [0168.017] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16e1b0 | out: hHeap=0xc0000) returned 1 [0168.017] GetLastError () returned 0x274c [0168.035] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfb8e0 | out: hHeap=0xc0000) returned 1 [0168.035] GetLastError () returned 0x274c [0168.079] GetCurrentThreadId () returned 0xae4 [0168.097] GetCurrentThreadId () returned 0xae4 [0168.138] FreeContextBuffer (pvContextBuffer=0x0) [0168.138] FreeContextBuffer (in: pvContextBuffer=0x0 | out: pvContextBuffer=0x0) returned 0x0 [0168.138] FreeContextBuffer (in: pvContextBuffer=0x0 | out: pvContextBuffer=0x0) returned 0x0 [0168.139] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x13a6a0 | out: hHeap=0xc0000) returned 1 [0168.140] closesocket (s=0x1c0) returned 0 [0168.141] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16ca10 | out: hHeap=0xc0000) returned 1 [0168.159] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x131020 | out: hHeap=0xc0000) returned 1 [0168.189] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12b080 | out: hHeap=0xc0000) returned 1 [0168.189] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0x12b080 [0168.293] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xa90) returned 0x131020 [0168.441] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x301e8) returned 0x13a6a0 [0168.483] GetCurrentThreadId () returned 0xae4 [0168.483] GetCurrentThreadId () returned 0xae4 [0168.525] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16ca10 [0168.545] WSASetLastError (iError=0) [0168.545] WSASetLastError (iError=0) [0168.545] getaddrinfo (pNodeName="19.145.84.7", pServiceName="406", pHints=0x244ec40*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x244ebd0) [0168.545] getaddrinfo (in: pNodeName="19.145.84.7", pServiceName="406", pHints=0x244ec40*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x244ebd0 | out: ppResult=0x244ebd0*=0x1fa5790*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1fa57d0*(sa_family=2, sin_port=0x196, sin_addr="19.145.84.7"), ai_next=0x0)) returned 0 [0168.546] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c990 [0168.546] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c9f0 [0168.546] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x60) returned 0x12c730 [0168.562] FreeAddrInfoW (pAddrInfo=0x1fa5790*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1fa57d0*(sa_family=2, sin_port=0x196, sin_addr="19.145.84.7"), ai_next=0x0)) [0168.562] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x1c0 [0168.564] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x1a4, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) [0168.564] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x1a4, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x1a4 [0168.564] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c9d0 [0168.564] connect (s=0x1c0, name=0x244eadc*(sa_family=2, sin_port=0x196, sin_addr="19.145.84.7"), namelen=16) returned -1 [0193.153] WSAGetLastError () returned 10060 [0193.184] FormatMessageW (dwFlags=0x1300, lpSource=0x0, dwMessageId=0x274c, dwLanguageId=0x400, lpBuffer=0x244eb10, nSize=0x0, Arguments=0x0) [0193.184] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x274c, dwLanguageId=0x400, lpBuffer=0x244eb10, nSize=0x0, Arguments=0x0 | out: lpBuffer="⺀\x11") returned 0xb9 [0193.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 186 [0193.214] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xc0) returned 0xfb8e0 [0193.246] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", cchWideChar=-1, lpMultiByteStr=0xfb8e0, cbMultiByte=186, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", lpUsedDefaultChar=0x0) returned 186 [0193.247] LocalFree (hMem=0x112e80) [0193.247] LocalFree (hMem=0x112e80) returned 0x0 [0193.311] GetLastError () returned 0x274c [0193.370] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x11f) returned 0x11fc20 [0193.383] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfb8e0 | out: hHeap=0xc0000) returned 1 [0193.383] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xd0) returned 0xfb8e0 [0193.384] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x11fc20 | out: hHeap=0xc0000) returned 1 [0193.384] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xcf) returned 0x11fc20 [0193.385] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfb8e0 | out: hHeap=0xc0000) returned 1 [0193.410] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xcf) returned 0xfb8e0 [0193.424] RtlPcToFileHeader (PcValue=0x1e51060, BaseOfImage=0x244eba0) [0193.425] RtlPcToFileHeader (in: PcValue=0x1e51060, BaseOfImage=0x244eba0 | out: BaseOfImage=0x244eba0*=0x1d20000) returned 0x1d20000 [0193.425] RaiseException (dwExceptionCode=0xe06d7363, dwExceptionFlags=0x1, nNumberOfArguments=0x4, lpArguments=0x244eb60) [0193.425] RaiseException (dwExceptionCode=0xe06d7363, dwExceptionFlags=0x1, nNumberOfArguments=0x4, lpArguments=0x244eb60) [0193.438] GetLastError () returned 0x274c [0193.438] RtlUnwindEx (TargetFrame=0x244ed40, TargetIp=0x1d47455, ExceptionRecord=0x244d1e0, ReturnValue=0x0, ContextRecord=0x244d280, HistoryTable=0x244df70) [0193.439] GetLastError () returned 0x274c [0193.439] GetLastError () returned 0x274c [0193.452] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x11fc20 | out: hHeap=0xc0000) returned 1 [0193.452] GetLastError () returned 0x274c [0193.452] GetLastError () returned 0x274c [0193.466] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12c730 | out: hHeap=0xc0000) returned 1 [0193.466] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c990 | out: hHeap=0xc0000) returned 1 [0193.479] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c9f0 | out: hHeap=0xc0000) returned 1 [0193.479] GetLastError () returned 0x274c [0193.492] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16ca10 | out: hHeap=0xc0000) returned 1 [0193.492] GetLastError () returned 0x274c [0193.492] GetLastError () returned 0x274c [0193.506] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfb8e0 | out: hHeap=0xc0000) returned 1 [0193.506] GetLastError () returned 0x274c [0193.532] GetCurrentThreadId () returned 0xae4 [0193.549] GetCurrentThreadId () returned 0xae4 [0193.574] FreeContextBuffer (pvContextBuffer=0x0) [0193.574] FreeContextBuffer (in: pvContextBuffer=0x0 | out: pvContextBuffer=0x0) returned 0x0 [0193.574] FreeContextBuffer (in: pvContextBuffer=0x0 | out: pvContextBuffer=0x0) returned 0x0 [0193.584] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x13a6a0 | out: hHeap=0xc0000) returned 1 [0193.584] closesocket (s=0x1c0) returned 0 [0193.585] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c9d0 | out: hHeap=0xc0000) returned 1 [0193.586] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x131020 | out: hHeap=0xc0000) returned 1 [0193.586] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12b080 | out: hHeap=0xc0000) returned 1 [0193.586] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0x12b080 [0193.636] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xa90) [0193.636] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xa90) returned 0x131020 [0193.739] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x301e8) returned 0x13a6a0 [0193.782] GetCurrentThreadId () returned 0xae4 [0193.782] GetCurrentThreadId () returned 0xae4 [0193.845] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c9d0 [0193.858] WSASetLastError (iError=0) [0193.858] WSASetLastError (iError=0) [0193.858] getaddrinfo (pNodeName="223.135.6.77", pServiceName="148", pHints=0x244ec40*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x244ebd0) [0193.858] getaddrinfo (in: pNodeName="223.135.6.77", pServiceName="148", pHints=0x244ec40*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x244ebd0 | out: ppResult=0x244ebd0*=0x1fa5790*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1fa57d0*(sa_family=2, sin_port=0x94, sin_addr="223.135.6.77"), ai_next=0x0)) returned 0 [0193.858] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16ca10 [0193.858] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c9f0 [0193.858] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x60) returned 0x12c730 [0193.875] FreeAddrInfoW (pAddrInfo=0x1fa5790*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1fa57d0*(sa_family=2, sin_port=0x94, sin_addr="223.135.6.77"), ai_next=0x0)) [0193.875] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x1c0 [0193.877] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x1a4, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) [0193.877] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x1a4, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x1a4 [0193.877] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c990 [0193.877] connect (s=0x1c0, name=0x244eadc*(sa_family=2, sin_port=0x94, sin_addr="223.135.6.77"), namelen=16) returned -1 [0195.637] WSAGetLastError () returned 10061 [0195.663] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x274d, dwLanguageId=0x400, lpBuffer=0x244eb10, nSize=0x0, Arguments=0x0 | out: lpBuffer="寀\x10") returned 0x4d [0195.664] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="No connection could be made because the target machine actively refused it.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 78 [0195.716] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x50) returned 0x108be0 [0195.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="No connection could be made because the target machine actively refused it.\r\n", cchWideChar=-1, lpMultiByteStr=0x108be0, cbMultiByte=78, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No connection could be made because the target machine actively refused it.\r\n", lpUsedDefaultChar=0x0) returned 78 [0195.755] LocalFree (hMem=0x105bc0) returned 0x0 [0195.805] GetLastError () returned 0x274d [0195.867] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x77) returned 0xebfb0 [0195.880] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x108be0 | out: hHeap=0xc0000) returned 1 [0195.881] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x70) returned 0xec3b0 [0195.881] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xebfb0 | out: hHeap=0xc0000) returned 1 [0195.881] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x63) returned 0x12c5e0 [0195.882] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xec3b0 | out: hHeap=0xc0000) returned 1 [0195.911] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x63) returned 0x12c6c0 [0195.924] RtlPcToFileHeader (in: PcValue=0x1e51060, BaseOfImage=0x244eba0 | out: BaseOfImage=0x244eba0*=0x1d20000) returned 0x1d20000 [0195.924] RaiseException (dwExceptionCode=0xe06d7363, dwExceptionFlags=0x1, nNumberOfArguments=0x4, lpArguments=0x244eb60) [0195.943] GetLastError () returned 0x274d [0195.943] RtlUnwindEx (TargetFrame=0x244ed40, TargetIp=0x1d47455, ExceptionRecord=0x244d1e0, ReturnValue=0x0, ContextRecord=0x244d280, HistoryTable=0x244df70) [0195.943] GetLastError () returned 0x274d [0195.943] GetLastError () returned 0x274d [0195.957] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12c5e0 | out: hHeap=0xc0000) returned 1 [0195.957] GetLastError () returned 0x274d [0195.957] GetLastError () returned 0x274d [0195.984] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12c730 | out: hHeap=0xc0000) returned 1 [0195.984] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16ca10 | out: hHeap=0xc0000) returned 1 [0195.997] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c9f0 | out: hHeap=0xc0000) returned 1 [0195.997] GetLastError () returned 0x274d [0196.009] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c9d0 | out: hHeap=0xc0000) returned 1 [0196.009] GetLastError () returned 0x274d [0196.009] GetLastError () returned 0x274d [0196.022] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12c6c0 | out: hHeap=0xc0000) returned 1 [0196.022] GetLastError () returned 0x274d [0196.047] GetCurrentThreadId () returned 0xae4 [0196.060] GetCurrentThreadId () returned 0xae4 [0196.111] FreeContextBuffer (in: pvContextBuffer=0x0 | out: pvContextBuffer=0x0) returned 0x0 [0196.111] FreeContextBuffer (in: pvContextBuffer=0x0 | out: pvContextBuffer=0x0) returned 0x0 [0196.114] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x13a6a0 | out: hHeap=0xc0000) returned 1 [0196.114] closesocket (s=0x1c0) returned 0 [0196.114] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c990 | out: hHeap=0xc0000) returned 1 [0196.115] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x131020 | out: hHeap=0xc0000) returned 1 [0196.116] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12b080 | out: hHeap=0xc0000) returned 1 [0196.116] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0x12b080 [0196.149] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xa90) returned 0x131020 [0196.188] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x301e8) returned 0x13a6a0 [0196.216] GetCurrentThreadId () returned 0xae4 [0196.216] GetCurrentThreadId () returned 0xae4 [0196.245] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c990 [0196.258] WSASetLastError (iError=0) [0196.258] getaddrinfo (in: pNodeName="156.216.108.127", pServiceName="166", pHints=0x244ec40*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x244ebd0 | out: ppResult=0x244ebd0*=0x1fa5790*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1fa57d0*(sa_family=2, sin_port=0xa6, sin_addr="156.216.108.127"), ai_next=0x0)) returned 0 [0196.258] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c9d0 [0196.259] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c9f0 [0196.259] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x60) returned 0x12c6c0 [0196.272] FreeAddrInfoW (pAddrInfo=0x1fa5790*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1fa57d0*(sa_family=2, sin_port=0xa6, sin_addr="156.216.108.127"), ai_next=0x0)) [0196.272] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x1c0 [0196.272] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x1a4, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x1a4 [0196.272] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16ca10 [0196.272] connect (s=0x1c0, name=0x244eadc*(sa_family=2, sin_port=0xa6, sin_addr="156.216.108.127"), namelen=16) returned -1 [0217.346] WSAGetLastError () returned 10060 [0217.378] FormatMessageW (dwFlags=0x1300, lpSource=0x0, dwMessageId=0x274c, dwLanguageId=0x400, lpBuffer=0x244eb10, nSize=0x0, Arguments=0x0) [0217.378] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x274c, dwLanguageId=0x400, lpBuffer=0x244eb10, nSize=0x0, Arguments=0x0 | out: lpBuffer="⺀\x11") returned 0xb9 [0217.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 186 [0217.447] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xc0) returned 0xfb8e0 [0217.473] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", cchWideChar=-1, lpMultiByteStr=0xfb8e0, cbMultiByte=186, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", lpUsedDefaultChar=0x0) returned 186 [0217.473] LocalFree (hMem=0x112e80) returned 0x0 [0217.540] GetLastError () returned 0x274c [0217.565] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x11f) returned 0x11fc20 [0217.578] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfb8e0 | out: hHeap=0xc0000) returned 1 [0217.578] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xd0) returned 0xfb8e0 [0217.579] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x11fc20 | out: hHeap=0xc0000) returned 1 [0217.579] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xcf) returned 0x11fc20 [0217.580] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfb8e0 | out: hHeap=0xc0000) returned 1 [0217.607] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xcf) returned 0xfb8e0 [0217.622] RtlPcToFileHeader (PcValue=0x1e51060, BaseOfImage=0x244eba0) [0217.622] RtlPcToFileHeader (in: PcValue=0x1e51060, BaseOfImage=0x244eba0 | out: BaseOfImage=0x244eba0*=0x1d20000) returned 0x1d20000 [0217.622] RaiseException (dwExceptionCode=0xe06d7363, dwExceptionFlags=0x1, nNumberOfArguments=0x4, lpArguments=0x244eb60) [0217.635] GetLastError () returned 0x274c [0217.635] RtlUnwindEx (TargetFrame=0x244ed40, TargetIp=0x1d47455, ExceptionRecord=0x244d1e0, ReturnValue=0x0, ContextRecord=0x244d280, HistoryTable=0x244df70) [0217.636] GetLastError () returned 0x274c [0217.636] GetLastError () returned 0x274c [0217.650] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x11fc20 | out: hHeap=0xc0000) returned 1 [0217.650] GetLastError () returned 0x274c [0217.651] GetLastError () returned 0x274c [0217.677] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12c6c0 | out: hHeap=0xc0000) returned 1 [0217.677] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c9d0 | out: hHeap=0xc0000) returned 1 [0217.691] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c9f0 | out: hHeap=0xc0000) returned 1 [0217.691] GetLastError () returned 0x274c [0217.703] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c990 | out: hHeap=0xc0000) returned 1 [0217.703] GetLastError () returned 0x274c [0217.703] GetLastError () returned 0x274c [0217.716] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfb8e0 | out: hHeap=0xc0000) returned 1 [0217.716] GetLastError () returned 0x274c [0217.743] GetCurrentThreadId () returned 0xae4 [0217.761] GetCurrentThreadId () returned 0xae4 [0217.796] FreeContextBuffer (pvContextBuffer=0x0) [0217.796] FreeContextBuffer (in: pvContextBuffer=0x0 | out: pvContextBuffer=0x0) returned 0x0 [0217.796] FreeContextBuffer (in: pvContextBuffer=0x0 | out: pvContextBuffer=0x0) returned 0x0 [0217.798] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x13a6a0 | out: hHeap=0xc0000) returned 1 [0217.798] closesocket (s=0x1c0) returned 0 [0217.799] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16ca10 | out: hHeap=0xc0000) returned 1 [0217.800] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x131020 | out: hHeap=0xc0000) returned 1 [0217.801] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12b080 | out: hHeap=0xc0000) returned 1 [0217.801] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0x12b080 [0217.831] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xa90) returned 0x131020 [0217.938] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x301e8) returned 0x13a6a0 [0217.982] GetCurrentThreadId () returned 0xae4 [0217.982] GetCurrentThreadId () returned 0xae4 [0218.030] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16ca10 [0218.055] WSASetLastError (iError=0) [0218.055] getaddrinfo (in: pNodeName="102.140.73.149", pServiceName="203", pHints=0x244ec40*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x244ebd0 | out: ppResult=0x244ebd0*=0x1fa5790*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1fa57d0*(sa_family=2, sin_port=0xcb, sin_addr="102.140.73.149"), ai_next=0x0)) returned 0 [0218.055] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c990 [0218.055] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c9f0 [0218.055] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x60) returned 0x12c6c0 [0218.094] FreeAddrInfoW (pAddrInfo=0x1fa5790*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1fa57d0*(sa_family=2, sin_port=0xcb, sin_addr="102.140.73.149"), ai_next=0x0)) [0218.094] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x1c0 [0218.097] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x1a4, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) [0218.098] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x1a4, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x1a4 [0218.098] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c9d0 [0218.098] connect (s=0x1c0, name=0x244eadc*(sa_family=2, sin_port=0xcb, sin_addr="102.140.73.149"), namelen=16) returned -1 [0239.172] WSAGetLastError () [0239.172] WSAGetLastError () returned 10060 [0239.359] FormatMessageW (dwFlags=0x1300, lpSource=0x0, dwMessageId=0x274c, dwLanguageId=0x400, lpBuffer=0x244eb10, nSize=0x0, Arguments=0x0) [0239.359] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x274c, dwLanguageId=0x400, lpBuffer=0x244eb10, nSize=0x0, Arguments=0x0 | out: lpBuffer="⺀\x11") returned 0xb9 [0239.360] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 186 [0239.421] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xc0) returned 0xfb8e0 [0239.448] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", cchWideChar=-1, lpMultiByteStr=0xfb8e0, cbMultiByte=186, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", lpUsedDefaultChar=0x0) returned 186 [0239.448] LocalFree (hMem=0x112e80) returned 0x0 [0239.520] GetLastError () returned 0x274c [0239.561] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x11f) returned 0x11fc20 [0239.648] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfb8e0 | out: hHeap=0xc0000) returned 1 [0239.702] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xd0) returned 0xfb8e0 [0239.703] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x11fc20 | out: hHeap=0xc0000) returned 1 [0239.738] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xcf) returned 0x11fc20 [0239.752] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfb8e0 | out: hHeap=0xc0000) returned 1 [0239.785] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xcf) returned 0xfb8e0 [0239.800] RtlPcToFileHeader (PcValue=0x1e51060, BaseOfImage=0x244eba0) [0239.800] RtlPcToFileHeader (in: PcValue=0x1e51060, BaseOfImage=0x244eba0 | out: BaseOfImage=0x244eba0*=0x1d20000) returned 0x1d20000 [0239.800] RaiseException (dwExceptionCode=0xe06d7363, dwExceptionFlags=0x1, nNumberOfArguments=0x4, lpArguments=0x244eb60) [0239.800] RaiseException (dwExceptionCode=0xe06d7363, dwExceptionFlags=0x1, nNumberOfArguments=0x4, lpArguments=0x244eb60) [0239.827] GetLastError () returned 0x274c [0239.854] GetLastError () returned 0x274c [0239.854] RtlUnwindEx (TargetFrame=0x244ed40, TargetIp=0x1d47455, ExceptionRecord=0x244d1e0, ReturnValue=0x0, ContextRecord=0x244d280, HistoryTable=0x244df70) [0239.854] GetLastError () returned 0x274c [0239.854] GetLastError () returned 0x274c [0239.867] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x11fc20 | out: hHeap=0xc0000) returned 1 [0239.867] GetLastError () returned 0x274c [0239.868] GetLastError () returned 0x274c [0239.912] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12c6c0 | out: hHeap=0xc0000) returned 1 [0239.912] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c990 | out: hHeap=0xc0000) returned 1 [0239.929] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c9f0 | out: hHeap=0xc0000) returned 1 [0239.929] GetLastError () returned 0x274c [0239.947] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16ca10 | out: hHeap=0xc0000) returned 1 [0239.947] GetLastError () returned 0x274c [0239.947] GetLastError () returned 0x274c [0240.003] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfb8e0 | out: hHeap=0xc0000) returned 1 [0240.003] GetLastError () returned 0x274c [0240.054] GetCurrentThreadId () returned 0xae4 [0240.074] GetCurrentThreadId () returned 0xae4 [0240.115] FreeContextBuffer (pvContextBuffer=0x0) [0240.115] FreeContextBuffer (in: pvContextBuffer=0x0 | out: pvContextBuffer=0x0) returned 0x0 [0240.115] FreeContextBuffer (in: pvContextBuffer=0x0 | out: pvContextBuffer=0x0) returned 0x0 [0240.117] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x13a6a0 | out: hHeap=0xc0000) returned 1 [0240.117] closesocket (s=0x1c0) returned 0 [0240.140] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c9d0 | out: hHeap=0xc0000) returned 1 [0240.166] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x131020 | out: hHeap=0xc0000) returned 1 [0240.187] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12b080 | out: hHeap=0xc0000) returned 1 [0240.188] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0x12b080 [0240.234] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xa90) returned 0x131020 [0240.310] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x301e8) returned 0x13a6a0 [0240.338] GetCurrentThreadId () returned 0xae4 [0240.338] GetCurrentThreadId () returned 0xae4 [0240.373] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c9d0 [0240.387] WSASetLastError (iError=0) [0240.387] WSASetLastError (iError=0) [0240.387] getaddrinfo (pNodeName="95.75.67.119", pServiceName="378", pHints=0x244ec40*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x244ebd0) [0240.387] getaddrinfo (in: pNodeName="95.75.67.119", pServiceName="378", pHints=0x244ec40*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x244ebd0 | out: ppResult=0x244ebd0*=0x1fa5790*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1fa57d0*(sa_family=2, sin_port=0x17a, sin_addr="95.75.67.119"), ai_next=0x0)) returned 0 [0240.387] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16ca10 [0240.387] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c9f0 [0240.387] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x60) returned 0x12c6c0 [0240.402] FreeAddrInfoW (pAddrInfo=0x1fa5790*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1fa57d0*(sa_family=2, sin_port=0x17a, sin_addr="95.75.67.119"), ai_next=0x0)) [0240.402] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x1c0 [0240.403] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x1a4, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) [0240.403] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x1a4, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x1a4 [0240.404] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c990 [0240.404] connect (s=0x1c0, name=0x244eadc*(sa_family=2, sin_port=0x17a, sin_addr="95.75.67.119"), namelen=16) returned -1 [0261.472] WSAGetLastError () returned 10060 [0261.646] FormatMessageW (dwFlags=0x1300, lpSource=0x0, dwMessageId=0x274c, dwLanguageId=0x400, lpBuffer=0x244eb10, nSize=0x0, Arguments=0x0) [0261.646] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x274c, dwLanguageId=0x400, lpBuffer=0x244eb10, nSize=0x0, Arguments=0x0 | out: lpBuffer="⺀\x11") returned 0xb9 [0261.647] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 186 [0261.736] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xc0) returned 0xfb8e0 [0261.811] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", cchWideChar=-1, lpMultiByteStr=0xfb8e0, cbMultiByte=186, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", lpUsedDefaultChar=0x0) returned 186 [0261.811] LocalFree (hMem=0x112e80) returned 0x0 [0261.931] GetLastError () returned 0x274c [0262.038] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x11f) returned 0x11fc20 [0262.061] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfb8e0 | out: hHeap=0xc0000) returned 1 [0262.061] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xd0) returned 0xfb8e0 [0262.062] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x11fc20 | out: hHeap=0xc0000) returned 1 [0262.062] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xcf) returned 0x11fc20 [0262.063] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfb8e0 | out: hHeap=0xc0000) returned 1 [0262.184] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xcf) returned 0xfb8e0 [0262.208] RtlPcToFileHeader (PcValue=0x1e51060, BaseOfImage=0x244eba0) [0262.208] RtlPcToFileHeader (in: PcValue=0x1e51060, BaseOfImage=0x244eba0 | out: BaseOfImage=0x244eba0*=0x1d20000) returned 0x1d20000 [0262.209] RaiseException (dwExceptionCode=0xe06d7363, dwExceptionFlags=0x1, nNumberOfArguments=0x4, lpArguments=0x244eb60) [0262.209] RaiseException (dwExceptionCode=0xe06d7363, dwExceptionFlags=0x1, nNumberOfArguments=0x4, lpArguments=0x244eb60) [0262.232] GetLastError () [0262.232] GetLastError () returned 0x274c [0262.232] RtlUnwindEx (TargetFrame=0x244ed40, TargetIp=0x1d47455, ExceptionRecord=0x244d1e0, ReturnValue=0x0, ContextRecord=0x244d280, HistoryTable=0x244df70) [0262.233] GetLastError () returned 0x274c [0262.233] GetLastError () returned 0x274c [0262.251] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x11fc20 | out: hHeap=0xc0000) returned 1 [0262.251] GetLastError () returned 0x274c [0262.251] GetLastError () returned 0x274c [0262.280] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12c6c0 | out: hHeap=0xc0000) returned 1 [0262.280] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16ca10 | out: hHeap=0xc0000) returned 1 [0262.293] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c9f0 | out: hHeap=0xc0000) returned 1 [0262.293] GetLastError () returned 0x274c [0262.305] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c9d0 | out: hHeap=0xc0000) returned 1 [0262.305] GetLastError () returned 0x274c [0262.305] GetLastError () returned 0x274c [0262.319] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfb8e0 | out: hHeap=0xc0000) returned 1 [0262.319] GetLastError () returned 0x274c [0262.355] GetCurrentThreadId () [0262.355] GetCurrentThreadId () returned 0xae4 [0262.367] GetCurrentThreadId () returned 0xae4 [0262.395] FreeContextBuffer (pvContextBuffer=0x0) [0262.395] FreeContextBuffer (in: pvContextBuffer=0x0 | out: pvContextBuffer=0x0) returned 0x0 [0262.395] FreeContextBuffer (in: pvContextBuffer=0x0 | out: pvContextBuffer=0x0) returned 0x0 [0262.397] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x13a6a0 | out: hHeap=0xc0000) returned 1 [0262.397] closesocket (s=0x1c0) [0262.397] closesocket (s=0x1c0) returned 0 [0262.399] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c990 | out: hHeap=0xc0000) returned 1 [0262.399] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x131020 | out: hHeap=0xc0000) returned 1 [0262.400] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12b080 | out: hHeap=0xc0000) returned 1 [0262.400] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0x12b080 [0262.426] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xa90) returned 0x131020 [0262.505] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x301e8) returned 0x13a6a0 [0262.535] GetCurrentThreadId () returned 0xae4 [0262.535] GetCurrentThreadId () returned 0xae4 [0262.565] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c990 [0262.590] WSASetLastError (iError=0) [0262.590] WSASetLastError (iError=0) [0262.590] getaddrinfo (pNodeName="131.0.32.0", pServiceName="278", pHints=0x244ec40*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x244ebd0) [0262.590] getaddrinfo (in: pNodeName="131.0.32.0", pServiceName="278", pHints=0x244ec40*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x244ebd0 | out: ppResult=0x244ebd0*=0x1fa5780*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1fa57c0*(sa_family=2, sin_port=0x116, sin_addr="131.0.32.0"), ai_next=0x0)) returned 0 [0262.590] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c9d0 [0262.590] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c9f0 [0262.590] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x60) returned 0x12c6c0 [0262.614] FreeAddrInfoW (pAddrInfo=0x1fa5780*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1fa57c0*(sa_family=2, sin_port=0x116, sin_addr="131.0.32.0"), ai_next=0x0)) [0262.614] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x1c0 [0262.616] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x1a4, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) [0262.616] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x1a4, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x1a4 [0262.616] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16ca10 [0262.616] connect (s=0x1c0, name=0x244eadc*(sa_family=2, sin_port=0x116, sin_addr="131.0.32.0"), namelen=16) returned -1 [0283.803] WSAGetLastError () [0283.803] WSAGetLastError () returned 10060 [0283.965] FormatMessageW (dwFlags=0x1300, lpSource=0x0, dwMessageId=0x274c, dwLanguageId=0x400, lpBuffer=0x244eb10, nSize=0x0, Arguments=0x0) [0283.965] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x274c, dwLanguageId=0x400, lpBuffer=0x244eb10, nSize=0x0, Arguments=0x0 | out: lpBuffer="⺀\x11") returned 0xb9 [0283.966] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 186 [0284.046] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xc0) returned 0xfb8e0 [0284.079] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", cchWideChar=-1, lpMultiByteStr=0xfb8e0, cbMultiByte=186, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.\r\n", lpUsedDefaultChar=0x0) returned 186 [0284.079] LocalFree (hMem=0x112e80) returned 0x0 [0284.150] GetLastError () returned 0x274c [0284.204] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x11f) returned 0x11fc20 [0284.219] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfb8e0 | out: hHeap=0xc0000) returned 1 [0284.219] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xd0) returned 0xfb8e0 [0284.219] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x11fc20 | out: hHeap=0xc0000) returned 1 [0284.219] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xcf) returned 0x11fc20 [0284.220] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfb8e0 | out: hHeap=0xc0000) returned 1 [0284.248] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xcf) returned 0xfb8e0 [0284.261] RtlPcToFileHeader (PcValue=0x1e51060, BaseOfImage=0x244eba0) [0284.261] RtlPcToFileHeader (in: PcValue=0x1e51060, BaseOfImage=0x244eba0 | out: BaseOfImage=0x244eba0*=0x1d20000) returned 0x1d20000 [0284.262] RaiseException (dwExceptionCode=0xe06d7363, dwExceptionFlags=0x1, nNumberOfArguments=0x4, lpArguments=0x244eb60) [0284.262] RaiseException (dwExceptionCode=0xe06d7363, dwExceptionFlags=0x1, nNumberOfArguments=0x4, lpArguments=0x244eb60) [0284.280] GetLastError () returned 0x274c [0284.280] RtlUnwindEx (TargetFrame=0x244ed40, TargetIp=0x1d47455, ExceptionRecord=0x244d1e0, ReturnValue=0x0, ContextRecord=0x244d280, HistoryTable=0x244df70) [0284.280] GetLastError () returned 0x274c [0284.280] GetLastError () returned 0x274c [0284.294] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x11fc20 | out: hHeap=0xc0000) returned 1 [0284.294] GetLastError () returned 0x274c [0284.295] GetLastError () returned 0x274c [0284.321] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12c6c0 | out: hHeap=0xc0000) returned 1 [0284.321] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c9d0 | out: hHeap=0xc0000) returned 1 [0284.334] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c9f0 | out: hHeap=0xc0000) returned 1 [0284.334] GetLastError () returned 0x274c [0284.347] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16c990 | out: hHeap=0xc0000) returned 1 [0284.347] GetLastError () returned 0x274c [0284.347] GetLastError () returned 0x274c [0284.360] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xfb8e0 | out: hHeap=0xc0000) returned 1 [0284.360] GetLastError () returned 0x274c [0284.386] GetCurrentThreadId () returned 0xae4 [0284.399] GetCurrentThreadId () returned 0xae4 [0284.411] FreeContextBuffer (pvContextBuffer=0x0) [0284.411] FreeContextBuffer (in: pvContextBuffer=0x0 | out: pvContextBuffer=0x0) returned 0x0 [0284.411] FreeContextBuffer (in: pvContextBuffer=0x0 | out: pvContextBuffer=0x0) returned 0x0 [0284.413] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x13a6a0 | out: hHeap=0xc0000) returned 1 [0284.415] closesocket (s=0x1c0) returned 0 [0284.415] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x16ca10 | out: hHeap=0xc0000) returned 1 [0284.416] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x131020 | out: hHeap=0xc0000) returned 1 [0284.416] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x12b080 | out: hHeap=0xc0000) returned 1 [0284.416] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x20) returned 0x12b080 [0284.442] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0xa90) returned 0x131020 [0284.532] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x301e8) returned 0x13a6a0 [0284.559] GetCurrentThreadId () returned 0xae4 [0284.559] GetCurrentThreadId () returned 0xae4 [0284.584] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16ca10 [0284.599] WSASetLastError (iError=0) [0284.599] WSASetLastError (iError=0) [0284.599] getaddrinfo (pNodeName="67.170.228.186", pServiceName="485", pHints=0x244ec40*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x244ebd0) [0284.599] getaddrinfo (in: pNodeName="67.170.228.186", pServiceName="485", pHints=0x244ec40*(ai_flags=0, ai_family=0, ai_socktype=1, ai_protocol=6, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x244ebd0 | out: ppResult=0x244ebd0*=0x1fa5790*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1fa57d0*(sa_family=2, sin_port=0x1e5, sin_addr="67.170.228.186"), ai_next=0x0)) returned 0 [0284.599] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c990 [0284.600] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c9f0 [0284.600] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x60) returned 0x12c6c0 [0284.612] FreeAddrInfoW (pAddrInfo=0x1fa5790*(ai_flags=4, ai_family=2, ai_socktype=1, ai_protocol=6, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x1fa57d0*(sa_family=2, sin_port=0x1e5, sin_addr="67.170.228.186"), ai_next=0x0)) [0284.612] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x1c0 [0284.613] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x1a4, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) [0284.613] CreateIoCompletionPort (FileHandle=0x1c0, ExistingCompletionPort=0x1a4, CompletionKey=0x0, NumberOfConcurrentThreads=0x0) returned 0x1a4 [0284.613] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x18) returned 0x16c9d0 [0284.614] connect (s=0x1c0, name=0x244eadc*(sa_family=2, sin_port=0x1e5, sin_addr="67.170.228.186"), namelen=16) Thread: id = 65 os_tid = 0xb54 Thread: id = 128 os_tid = 0xb58 [0091.362] GetLastError () returned 0x57 [0091.363] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x78) returned 0xebfb0 [0091.363] SetLastError (dwErrCode=0x57) [0091.583] GetLastError () returned 0x57 [0091.604] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x3c8) returned 0x112e80 [0092.069] SetLastError (dwErrCode=0x57) [0172.127] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0xebfb0 | out: hHeap=0xc0000) returned 1 [0172.183] HeapFree (in: hHeap=0xc0000, dwFlags=0x0, lpMem=0x112e80 | out: hHeap=0xc0000) returned 1 Thread: id = 133 os_tid = 0xf18 [0093.651] GetLastError () returned 0x57 [0093.652] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x78) returned 0xec030 [0093.652] SetLastError (dwErrCode=0x57) [0093.652] GetLastError () returned 0x57 [0093.653] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x3c8) returned 0x124ce0 [0093.653] SetLastError (dwErrCode=0x57) Thread: id = 134 os_tid = 0xfa0 [0093.654] GetLastError () returned 0x57 [0093.654] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x78) returned 0xec0b0 [0093.654] SetLastError (dwErrCode=0x57) [0093.654] GetLastError () returned 0x57 [0093.654] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x3c8) returned 0x128940 [0093.655] SetLastError (dwErrCode=0x57) Thread: id = 145 os_tid = 0xde4 [0099.379] GetLastError () returned 0x57 [0099.379] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x78) returned 0xec130 [0099.379] SetLastError (dwErrCode=0x57) [0099.379] GetLastError () returned 0x57 [0099.379] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x3c8) returned 0x12f920 [0099.545] SetLastError (dwErrCode=0x57) [0099.546] GetLastError () returned 0x57 [0099.546] SetLastError (dwErrCode=0x57) [0099.561] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0099.562] GetLastError () returned 0x7e [0099.562] LoadLibraryExW (lpLibFileName="ext-ms-win-kernel32-package-current-l1-1-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0099.562] GetLastError () returned 0x7e [0099.562] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x30) returned 0x1213f0 [0099.732] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x0, Size=0x30) returned 0x121a70 [0099.732] RpcServerUseProtseqEpA (Protseq=0x1e1ac20, MaxCalls=0x4d2, Endpoint=0x121a70, SecurityDescriptor=0x0) returned 0x0 [0099.737] RpcServerRegisterIfEx (IfSpec=0x1e13c30, MgrTypeUuid=0x0, MgrEpv=0x0, Flags=0x10, MaxCalls=0x4d2, IfCallback=0x1d2a240) returned 0x0 [0099.982] RpcServerListen (MinimumCallThreads=0x1, MaxCalls=0x4d2, DontWait=0x0) Thread: id = 170 os_tid = 0x9c0 [0121.311] GetLastError () returned 0x57 [0121.311] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x78) returned 0xec330 [0121.311] SetLastError (dwErrCode=0x57) [0121.423] GetLastError () returned 0x57 [0121.437] RtlAllocateHeap (HeapHandle=0xc0000, Flags=0x8, Size=0x3c8) returned 0x16c120 [0121.630] SetLastError (dwErrCode=0x57) [0121.646] GetLastError () returned 0x57 [0121.646] SetLastError (dwErrCode=0x57) [0121.659] SetEvent (hEvent=0x1ac) returned 1 [0121.840] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xffffffff) Process: id = "3" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x45078000" os_pid = "0xfe4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 380 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 381 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 382 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 383 start_va = 0x210000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 384 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 385 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 386 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 387 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 388 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 389 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 390 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 391 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 392 start_va = 0x50000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 393 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 394 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 395 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 396 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 397 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 398 start_va = 0x150000 end_va = 0x1b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 399 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 400 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 401 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 402 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 403 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 404 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 405 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 406 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 407 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 408 start_va = 0x310000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 409 start_va = 0x310000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 410 start_va = 0x4a0000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 415 start_va = 0x1c0000 end_va = 0x1e8fff monitored = 0 entry_point = 0x1c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 416 start_va = 0x4b0000 end_va = 0x637fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 417 start_va = 0x1c0000 end_va = 0x1e8fff monitored = 0 entry_point = 0x1c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 418 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 419 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 420 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 421 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 422 start_va = 0x640000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 423 start_va = 0x7d0000 end_va = 0x1bcffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 427 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 428 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 429 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 430 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 714 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Thread: id = 7 os_tid = 0xfe8 [0048.526] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fbb8 | out: lpSystemTimeAsFileTime=0x30fbb8*(dwLowDateTime=0x1730cce0, dwHighDateTime=0x1d937fd)) [0048.526] GetCurrentThreadId () returned 0xfe8 [0048.526] GetCurrentProcessId () returned 0xfe4 [0048.526] QueryPerformanceCounter (in: lpPerformanceCount=0x30fbc0 | out: lpPerformanceCount=0x30fbc0*=3317304282277) returned 1 [0048.526] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0048.528] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0048.528] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0048.529] GetLastError () returned 0x7e [0048.529] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0048.529] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0048.529] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0048.529] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0048.529] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0048.530] GetProcessHeap () returned 0x50000 [0048.530] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0048.530] GetLastError () returned 0x7e [0048.530] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0048.530] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0048.530] GetLastError () returned 0x7e [0048.530] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0048.530] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0048.531] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x3c8) returned 0x6cf90 [0048.531] SetLastError (dwErrCode=0x7e) [0048.531] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x1200) returned 0x6d360 [0048.533] GetStartupInfoW (in: lpStartupInfo=0x30fa90 | out: lpStartupInfo=0x30fa90*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x30fb18, hStdError=0x1)) [0048.533] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0048.533] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0048.533] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0048.533] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7" [0048.533] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7" [0048.533] GetACP () returned 0x4e4 [0048.533] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x0, Size=0x228) returned 0x6ab70 [0048.533] IsValidCodePage (CodePage=0x4e4) returned 1 [0048.534] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x30fa50 | out: lpCPInfo=0x30fa50) returned 1 [0048.534] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x30f2f0 | out: lpCPInfo=0x30f2f0) returned 1 [0048.534] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x30f310, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0048.534] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x30f310, cbMultiByte=256, lpWideCharStr=0x30f040, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0048.534] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x30f610 | out: lpCharType=0x30f610) returned 1 [0048.534] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x30f310, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0048.534] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x30f310, cbMultiByte=256, lpWideCharStr=0x30efe0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0048.534] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0048.534] GetLastError () returned 0x7e [0048.534] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0048.534] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0048.535] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x30edd0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0048.535] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x30f410, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿp«\x06", lpUsedDefaultChar=0x0) returned 256 [0048.535] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x30f310, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0048.535] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x30f310, cbMultiByte=256, lpWideCharStr=0x30efe0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0048.535] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0048.535] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x30edd0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0048.535] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x30f510, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0048.535] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x0, Size=0x100) returned 0x6f570 [0048.535] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0048.535] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x160) returned 0x6f680 [0048.535] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0048.535] GetLastError () returned 0x0 [0048.535] SetLastError (dwErrCode=0x0) [0048.535] GetEnvironmentStringsW () returned 0x6f7f0* [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x0, Size=0xb32) returned 0x70330 [0048.536] FreeEnvironmentStringsW (penv=0x6f7f0) returned 1 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x128) returned 0x70e70 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x3e) returned 0x6afc0 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x56) returned 0x6ada0 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x62) returned 0x6f7f0 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x78) returned 0x6f860 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x62) returned 0x6f8e0 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x30) returned 0x6e8e0 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x48) returned 0x6b010 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x28) returned 0x67960 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x1a) returned 0x67990 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x34) returned 0x6e920 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x5c) returned 0x6f950 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x32) returned 0x6e960 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x2e) returned 0x6e9a0 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x1c) returned 0x679c0 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x19c) returned 0x6f9c0 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x7c) returned 0x6fb70 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x3a) returned 0x6b060 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x90) returned 0x6fc00 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x24) returned 0x679f0 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x30) returned 0x6e9e0 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x36) returned 0x6ea20 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x3c) returned 0x6b0b0 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x52) returned 0x6fca0 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x3c) returned 0x6b100 [0048.536] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0xd6) returned 0x6fd00 [0048.537] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x2e) returned 0x6ea60 [0048.537] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x1e) returned 0x67a20 [0048.537] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x2c) returned 0x6eaa0 [0048.537] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x54) returned 0x6fde0 [0048.537] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x52) returned 0x6fe40 [0048.537] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x2c) returned 0x6eae0 [0048.537] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x26) returned 0x67a50 [0048.537] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x3e) returned 0x6b150 [0048.537] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x24) returned 0x67a80 [0048.537] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x30) returned 0x6eb20 [0048.537] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x8c) returned 0x6fea0 [0048.537] HeapFree (in: hHeap=0x50000, dwFlags=0x0, lpMem=0x70330 | out: hHeap=0x50000) returned 1 [0048.537] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x1000) returned 0x70fa0 [0048.538] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0048.538] GetStartupInfoW (in: lpStartupInfo=0x30fb20 | out: lpStartupInfo=0x30fb20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0048.538] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7" [0048.538] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7", pNumArgs=0x30faf0 | out: pNumArgs=0x30faf0) returned 0x703c0*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0048.538] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0048.543] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x0, Size=0x1000) returned 0x74090 [0048.543] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x0, Size=0x12) returned 0x67650 [0048.543] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="FPH732n7", cchWideChar=-1, lpMultiByteStr=0x67650, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FPH732n7", lpUsedDefaultChar=0x0) returned 9 [0048.543] GetLastError () returned 0x0 [0048.543] SetLastError (dwErrCode=0x0) [0048.544] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7W") returned 0x0 [0048.544] GetLastError () returned 0x7f [0048.544] SetLastError (dwErrCode=0x7f) [0048.544] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7A") returned 0x0 [0048.544] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7") returned 0x7fef2eb1cf0 [0048.544] GetActiveWindow () returned 0x0 [0048.545] GetLastError () returned 0x7f [0048.546] SetLastError (dwErrCode=0x7f) Process: id = "4" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x44691000" os_pid = "0xff4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 431 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 432 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 433 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 434 start_va = 0x1d0000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 435 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 436 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 437 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 438 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 439 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 440 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 441 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 442 start_va = 0x7fffffde000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 443 start_va = 0x50000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 444 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 445 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 446 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 447 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 448 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 449 start_va = 0x2d0000 end_va = 0x336fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 450 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 451 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 452 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 453 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 454 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 455 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 456 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 457 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 458 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 459 start_va = 0x340000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 462 start_va = 0x340000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 463 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 464 start_va = 0x50000 end_va = 0x78fff monitored = 0 entry_point = 0x51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 465 start_va = 0xb0000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 466 start_va = 0x520000 end_va = 0x6a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 467 start_va = 0x50000 end_va = 0x78fff monitored = 0 entry_point = 0x51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 468 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 469 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 470 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 471 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 472 start_va = 0x6b0000 end_va = 0x830fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 473 start_va = 0x840000 end_va = 0x1c3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 517 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 518 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 519 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 523 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 713 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Thread: id = 10 os_tid = 0xff8 [0048.937] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfe58 | out: lpSystemTimeAsFileTime=0x2cfe58*(dwLowDateTime=0x176eb0a0, dwHighDateTime=0x1d937fd)) [0048.937] GetCurrentThreadId () returned 0xff8 [0048.937] GetCurrentProcessId () returned 0xff4 [0048.937] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfe60 | out: lpPerformanceCount=0x2cfe60*=3317345387943) returned 1 [0048.937] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0048.940] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0048.940] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0048.940] GetLastError () returned 0x7e [0048.940] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0048.940] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0048.940] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0048.941] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0048.941] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0048.942] GetProcessHeap () returned 0xb0000 [0048.942] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0048.942] GetLastError () returned 0x7e [0048.942] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0048.942] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0048.942] GetLastError () returned 0x7e [0048.943] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0048.943] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0048.943] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x3c8) returned 0xccf90 [0048.943] SetLastError (dwErrCode=0x7e) [0048.943] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x1200) returned 0xcd360 [0048.945] GetStartupInfoW (in: lpStartupInfo=0x2cfd30 | out: lpStartupInfo=0x2cfd30*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x2cfdb8, hStdError=0x1)) [0048.945] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0048.945] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0048.945] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0048.946] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j" [0048.946] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j" [0048.946] GetACP () returned 0x4e4 [0048.946] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x0, Size=0x228) returned 0xcab70 [0048.946] IsValidCodePage (CodePage=0x4e4) returned 1 [0048.946] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2cfcf0 | out: lpCPInfo=0x2cfcf0) returned 1 [0048.946] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2cf590 | out: lpCPInfo=0x2cf590) returned 1 [0048.946] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf5b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0048.946] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf5b0, cbMultiByte=256, lpWideCharStr=0x2cf2e0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0048.946] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x2cf8b0 | out: lpCharType=0x2cf8b0) returned 1 [0048.946] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf5b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0048.946] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf5b0, cbMultiByte=256, lpWideCharStr=0x2cf280, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0048.946] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0048.947] GetLastError () returned 0x7e [0048.947] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0048.947] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0048.947] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2cf070, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0048.947] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x2cf6b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿp«\x0c", lpUsedDefaultChar=0x0) returned 256 [0048.947] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf5b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0048.947] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf5b0, cbMultiByte=256, lpWideCharStr=0x2cf280, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0048.947] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0048.948] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2cf070, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0048.948] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x2cf7b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0048.948] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x0, Size=0x100) returned 0xcf570 [0048.948] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0048.948] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x160) returned 0xcf680 [0048.948] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0048.948] GetLastError () returned 0x0 [0048.948] SetLastError (dwErrCode=0x0) [0048.948] GetEnvironmentStringsW () returned 0xcf7f0* [0048.948] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x0, Size=0xb32) returned 0xd0330 [0048.948] FreeEnvironmentStringsW (penv=0xcf7f0) returned 1 [0048.948] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x128) returned 0xd0e70 [0048.948] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x3e) returned 0xcafc0 [0048.948] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x56) returned 0xcada0 [0048.948] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x62) returned 0xcf7f0 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x78) returned 0xcf860 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x62) returned 0xcf8e0 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x30) returned 0xce8e0 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x48) returned 0xcb010 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x28) returned 0xc7960 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x1a) returned 0xc7990 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x34) returned 0xce920 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x5c) returned 0xcf950 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x32) returned 0xce960 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x2e) returned 0xce9a0 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x1c) returned 0xc79c0 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x19c) returned 0xcf9c0 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x7c) returned 0xcfb70 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x3a) returned 0xcb060 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x90) returned 0xcfc00 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x24) returned 0xc79f0 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x30) returned 0xce9e0 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x36) returned 0xcea20 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x3c) returned 0xcb0b0 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x52) returned 0xcfca0 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x3c) returned 0xcb100 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0xd6) returned 0xcfd00 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x2e) returned 0xcea60 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x1e) returned 0xc7a20 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x2c) returned 0xceaa0 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x54) returned 0xcfde0 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x52) returned 0xcfe40 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x2c) returned 0xceae0 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x26) returned 0xc7a50 [0048.949] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x3e) returned 0xcb150 [0048.950] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x24) returned 0xc7a80 [0048.950] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x30) returned 0xceb20 [0048.950] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x8c) returned 0xcfea0 [0048.950] HeapFree (in: hHeap=0xb0000, dwFlags=0x0, lpMem=0xd0330 | out: hHeap=0xb0000) returned 1 [0048.950] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x8, Size=0x1000) returned 0xd0fa0 [0048.951] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0048.951] GetStartupInfoW (in: lpStartupInfo=0x2cfdc0 | out: lpStartupInfo=0x2cfdc0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0048.951] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j" [0048.951] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j", pNumArgs=0x2cfd90 | out: pNumArgs=0x2cfd90) returned 0xd03c0*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0048.951] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0048.959] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x0, Size=0x1000) returned 0xd4090 [0048.959] RtlAllocateHeap (HeapHandle=0xb0000, Flags=0x0, Size=0x12) returned 0xc7650 [0048.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="KlXWgB9j", cchWideChar=-1, lpMultiByteStr=0xc7650, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="KlXWgB9j", lpUsedDefaultChar=0x0) returned 9 [0048.959] GetLastError () returned 0x0 [0048.959] SetLastError (dwErrCode=0x0) [0048.960] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9jW") returned 0x0 [0048.960] GetLastError () returned 0x7f [0048.960] SetLastError (dwErrCode=0x7f) [0048.960] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9jA") returned 0x0 [0048.960] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9j") returned 0x7fef2eb0010 [0048.960] GetActiveWindow () returned 0x0 [0049.126] GetLastError () returned 0x7f [0049.126] SetLastError (dwErrCode=0x7f) Process: id = "5" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x44ea4000" os_pid = "0xb9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 474 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 475 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 476 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 477 start_va = 0xf0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 478 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 479 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 480 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 481 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 482 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 483 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 484 start_va = 0x7fffffda000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 485 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 486 start_va = 0x1f0000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 487 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 488 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 489 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 490 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 491 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 492 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 493 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 494 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 495 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 496 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 497 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 498 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 499 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 500 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 501 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 502 start_va = 0x1f0000 end_va = 0x32ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 503 start_va = 0x350000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 504 start_va = 0x1f0000 end_va = 0x2effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 505 start_va = 0x320000 end_va = 0x32ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 508 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 509 start_va = 0x450000 end_va = 0x5d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 510 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 511 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 512 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 513 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 514 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 515 start_va = 0x5e0000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 516 start_va = 0x770000 end_va = 0x1b6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 520 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 521 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 522 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 536 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 712 start_va = 0x2f0000 end_va = 0x2f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Thread: id = 12 os_tid = 0xba0 [0049.066] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ef758 | out: lpSystemTimeAsFileTime=0x1ef758*(dwLowDateTime=0x17841d00, dwHighDateTime=0x1d937fd)) [0049.066] GetCurrentThreadId () returned 0xba0 [0049.066] GetCurrentProcessId () returned 0xb9c [0049.066] QueryPerformanceCounter (in: lpPerformanceCount=0x1ef760 | out: lpPerformanceCount=0x1ef760*=3317358363985) returned 1 [0049.067] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0049.070] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0049.070] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0049.070] GetLastError () returned 0x7e [0049.070] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0049.071] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0049.071] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0049.072] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0049.072] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0049.072] GetProcessHeap () returned 0x350000 [0049.073] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0049.073] GetLastError () returned 0x7e [0049.073] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0049.073] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0049.073] GetLastError () returned 0x7e [0049.073] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0049.073] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0049.073] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x3c8) returned 0x36cf90 [0049.074] SetLastError (dwErrCode=0x7e) [0049.074] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x1200) returned 0x36d360 [0049.076] GetStartupInfoW (in: lpStartupInfo=0x1ef630 | out: lpStartupInfo=0x1ef630*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x1ef6b8, hStdError=0x1)) [0049.076] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0049.076] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0049.076] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0049.076] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77" [0049.076] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77" [0049.076] GetACP () returned 0x4e4 [0049.076] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x228) returned 0x36ab70 [0049.076] IsValidCodePage (CodePage=0x4e4) returned 1 [0049.076] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1ef5f0 | out: lpCPInfo=0x1ef5f0) returned 1 [0049.076] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1eee90 | out: lpCPInfo=0x1eee90) returned 1 [0049.076] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1eeeb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0049.076] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1eeeb0, cbMultiByte=256, lpWideCharStr=0x1eebe0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0049.076] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x1ef1b0 | out: lpCharType=0x1ef1b0) returned 1 [0049.077] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1eeeb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0049.077] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1eeeb0, cbMultiByte=256, lpWideCharStr=0x1eeb80, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0049.077] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0049.077] GetLastError () returned 0x7e [0049.077] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0049.077] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0049.078] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ee970, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0049.078] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x1eefb0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿp«6", lpUsedDefaultChar=0x0) returned 256 [0049.078] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1eeeb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0049.078] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1eeeb0, cbMultiByte=256, lpWideCharStr=0x1eeb80, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0049.078] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0049.078] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ee970, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0049.078] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x1ef0b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0049.078] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x100) returned 0x36f570 [0049.078] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0049.078] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x15e) returned 0x36f680 [0049.078] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0049.079] GetLastError () returned 0x0 [0049.079] SetLastError (dwErrCode=0x0) [0049.079] GetEnvironmentStringsW () returned 0x36f7f0* [0049.079] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0xb32) returned 0x370330 [0049.079] FreeEnvironmentStringsW (penv=0x36f7f0) returned 1 [0049.079] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x128) returned 0x370e70 [0049.079] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x3e) returned 0x36afc0 [0049.079] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x56) returned 0x36ada0 [0049.079] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x62) returned 0x36f7f0 [0049.079] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x78) returned 0x36f860 [0049.079] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x62) returned 0x36f8e0 [0049.079] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x30) returned 0x36e8e0 [0049.079] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x48) returned 0x36b010 [0049.079] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x28) returned 0x367960 [0049.079] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x1a) returned 0x367990 [0049.079] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x34) returned 0x36e920 [0049.079] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x5c) returned 0x36f950 [0049.079] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x32) returned 0x36e960 [0049.079] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x2e) returned 0x36e9a0 [0049.079] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x1c) returned 0x3679c0 [0049.079] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x19c) returned 0x36f9c0 [0049.079] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x7c) returned 0x36fb70 [0049.079] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x3a) returned 0x36b060 [0049.080] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x90) returned 0x36fc00 [0049.080] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x24) returned 0x3679f0 [0049.080] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x30) returned 0x36e9e0 [0049.080] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x36) returned 0x36ea20 [0049.080] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x3c) returned 0x36b0b0 [0049.080] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x52) returned 0x36fca0 [0049.080] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x3c) returned 0x36b100 [0049.080] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xd6) returned 0x36fd00 [0049.080] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x2e) returned 0x36ea60 [0049.080] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x1e) returned 0x367a20 [0049.080] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x2c) returned 0x36eaa0 [0049.080] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x54) returned 0x36fde0 [0049.080] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x52) returned 0x36fe40 [0049.080] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x2c) returned 0x36eae0 [0049.080] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x26) returned 0x367a50 [0049.080] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x3e) returned 0x36b150 [0049.080] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x24) returned 0x367a80 [0049.080] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x30) returned 0x36eb20 [0049.080] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x8c) returned 0x36fea0 [0049.081] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x370330 | out: hHeap=0x350000) returned 1 [0049.081] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x1000) returned 0x370fa0 [0049.081] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0049.081] GetStartupInfoW (in: lpStartupInfo=0x1ef6c0 | out: lpStartupInfo=0x1ef6c0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0049.081] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77" [0049.081] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77", pNumArgs=0x1ef690 | out: pNumArgs=0x1ef690) returned 0x3703c0*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0049.081] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0049.089] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x1000) returned 0x374090 [0049.089] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x10) returned 0x367650 [0049.089] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="LKKIJ77", cchWideChar=-1, lpMultiByteStr=0x367650, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LKKIJ77", lpUsedDefaultChar=0x0) returned 8 [0049.090] GetLastError () returned 0x0 [0049.090] SetLastError (dwErrCode=0x0) [0049.090] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77W") returned 0x0 [0049.090] GetLastError () returned 0x7f [0049.090] SetLastError (dwErrCode=0x7f) [0049.090] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77A") returned 0x0 [0049.090] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77") returned 0x7fef2ea6420 [0049.090] GetActiveWindow () returned 0x0 [0049.179] GetLastError () returned 0x7f [0049.179] SetLastError (dwErrCode=0x7f) Process: id = "6" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x455b6000" os_pid = "0xba8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 524 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 525 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 526 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 527 start_va = 0x110000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 528 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 529 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 530 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 531 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 532 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 533 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 534 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 535 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 537 start_va = 0x210000 end_va = 0x3affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 538 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 539 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 540 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 541 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 542 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 543 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 544 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 545 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 546 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 547 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 548 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 549 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 550 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 551 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 552 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 553 start_va = 0x3b0000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 554 start_va = 0x3b0000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 555 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 558 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 559 start_va = 0x550000 end_va = 0x6d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 560 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 561 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 562 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 563 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 564 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 565 start_va = 0x6e0000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 566 start_va = 0x870000 end_va = 0x1c6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 606 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 607 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 608 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 612 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 711 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Thread: id = 14 os_tid = 0xbac [0049.545] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fb38 | out: lpSystemTimeAsFileTime=0x20fb38*(dwLowDateTime=0x17cb8640, dwHighDateTime=0x1d937fd)) [0049.545] GetCurrentThreadId () returned 0xbac [0049.545] GetCurrentProcessId () returned 0xba8 [0049.545] QueryPerformanceCounter (in: lpPerformanceCount=0x20fb40 | out: lpPerformanceCount=0x20fb40*=3317406237320) returned 1 [0049.546] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0049.557] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0049.557] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0049.558] GetLastError () returned 0x7e [0049.558] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0049.558] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0049.558] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0049.559] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0049.559] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0049.560] GetProcessHeap () returned 0x2b0000 [0049.560] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0049.560] GetLastError () returned 0x7e [0049.560] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0049.560] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0049.560] GetLastError () returned 0x7e [0049.561] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0049.561] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0049.561] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x3c8) returned 0x2ccf90 [0049.561] SetLastError (dwErrCode=0x7e) [0049.561] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x1200) returned 0x2cd360 [0049.564] GetStartupInfoW (in: lpStartupInfo=0x20fa10 | out: lpStartupInfo=0x20fa10*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x20fa98, hStdError=0x1)) [0049.564] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0049.564] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0049.564] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0049.564] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt" [0049.564] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt" [0049.564] GetACP () returned 0x4e4 [0049.565] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x0, Size=0x228) returned 0x2cab70 [0049.565] IsValidCodePage (CodePage=0x4e4) returned 1 [0049.565] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x20f9d0 | out: lpCPInfo=0x20f9d0) returned 1 [0049.565] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x20f270 | out: lpCPInfo=0x20f270) returned 1 [0049.565] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f290, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0049.565] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f290, cbMultiByte=256, lpWideCharStr=0x20efc0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0049.565] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x20f590 | out: lpCharType=0x20f590) returned 1 [0049.565] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f290, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0049.565] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f290, cbMultiByte=256, lpWideCharStr=0x20ef60, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0049.565] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0049.565] GetLastError () returned 0x7e [0049.565] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0049.566] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0049.566] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x20ed50, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0049.566] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x20f390, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿp«,", lpUsedDefaultChar=0x0) returned 256 [0049.566] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f290, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0049.566] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f290, cbMultiByte=256, lpWideCharStr=0x20ef60, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0049.566] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0049.566] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x20ed50, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0049.566] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x20f490, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0049.567] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x0, Size=0x100) returned 0x2cf570 [0049.567] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0049.567] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x164) returned 0x2cf680 [0049.567] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0049.567] GetLastError () returned 0x0 [0049.567] SetLastError (dwErrCode=0x0) [0049.567] GetEnvironmentStringsW () returned 0x2cf7f0* [0049.567] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x0, Size=0xb32) returned 0x2d0330 [0049.567] FreeEnvironmentStringsW (penv=0x2cf7f0) returned 1 [0049.567] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x128) returned 0x2d0e70 [0049.567] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x3e) returned 0x2cafc0 [0049.567] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x56) returned 0x2cada0 [0049.567] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x62) returned 0x2cf7f0 [0049.567] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x78) returned 0x2cf860 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x62) returned 0x2cf8e0 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x30) returned 0x2ce8e0 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x48) returned 0x2cb010 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x28) returned 0x2c7960 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x1a) returned 0x2c7990 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x34) returned 0x2ce920 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x5c) returned 0x2cf950 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x32) returned 0x2ce960 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x2e) returned 0x2ce9a0 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x1c) returned 0x2c79c0 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x19c) returned 0x2cf9c0 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x7c) returned 0x2cfb70 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x3a) returned 0x2cb060 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x90) returned 0x2cfc00 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x24) returned 0x2c79f0 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x30) returned 0x2ce9e0 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x36) returned 0x2cea20 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x3c) returned 0x2cb0b0 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x52) returned 0x2cfca0 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x3c) returned 0x2cb100 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xd6) returned 0x2cfd00 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x2e) returned 0x2cea60 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x1e) returned 0x2c7a20 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x2c) returned 0x2ceaa0 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x54) returned 0x2cfde0 [0049.568] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x52) returned 0x2cfe40 [0049.569] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x2c) returned 0x2ceae0 [0049.569] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x26) returned 0x2c7a50 [0049.569] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x3e) returned 0x2cb150 [0049.569] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x24) returned 0x2c7a80 [0049.569] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x30) returned 0x2ceb20 [0049.569] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x8c) returned 0x2cfea0 [0049.569] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2d0330 | out: hHeap=0x2b0000) returned 1 [0049.569] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x1000) returned 0x2d0fa0 [0049.570] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0049.570] GetStartupInfoW (in: lpStartupInfo=0x20faa0 | out: lpStartupInfo=0x20faa0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0049.570] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt" [0049.570] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt", pNumArgs=0x20fa70 | out: pNumArgs=0x20fa70) returned 0x2d03c0*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0049.570] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0049.642] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x0, Size=0x1000) returned 0x2d4090 [0049.643] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x0, Size=0x16) returned 0x2c7650 [0049.643] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="MMlFUh3Tzt", cchWideChar=-1, lpMultiByteStr=0x2c7650, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MMlFUh3Tzt", lpUsedDefaultChar=0x0) returned 11 [0049.643] GetLastError () returned 0x0 [0049.643] SetLastError (dwErrCode=0x0) [0049.643] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3TztW") returned 0x0 [0049.643] GetLastError () returned 0x7f [0049.643] SetLastError (dwErrCode=0x7f) [0049.644] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3TztA") returned 0x0 [0049.644] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3Tzt") returned 0x7fef2eb0cf0 [0049.644] GetActiveWindow () returned 0x0 [0049.786] GetLastError () returned 0x7f [0049.786] SetLastError (dwErrCode=0x7f) Process: id = "7" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x447c9000" os_pid = "0xbb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"0\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 567 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 568 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 569 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 570 start_va = 0xf0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 571 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 572 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 573 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 574 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 575 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 576 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 577 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 578 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 579 start_va = 0x1f0000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 580 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 581 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 582 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 583 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 584 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 585 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 586 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 587 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 588 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 589 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 590 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 591 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 592 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 593 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 594 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 595 start_va = 0x350000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 596 start_va = 0x3e0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 597 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 598 start_va = 0x4e0000 end_va = 0x667fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 599 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 600 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 601 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 602 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 603 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 604 start_va = 0x670000 end_va = 0x7f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 605 start_va = 0x800000 end_va = 0x1bfffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 609 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 610 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 611 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1367 start_va = 0x350000 end_va = 0x3cdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 1368 start_va = 0x3d0000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 1450 start_va = 0x1c00000 end_va = 0x1d57fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c00000" filename = "" Region: id = 1475 start_va = 0x1d60000 end_va = 0x1ec0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d60000" filename = "" Region: id = 1477 start_va = 0x7fefd2c0000 end_va = 0x7fefd42cfff monitored = 0 entry_point = 0x7fefd2c10b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1478 start_va = 0x7fefd270000 end_va = 0x7fefd27efff monitored = 0 entry_point = 0x7fefd271020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1479 start_va = 0x7fefd060000 end_va = 0x7fefd06afff monitored = 0 entry_point = 0x7fefd061030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1480 start_va = 0x7fefd090000 end_va = 0x7fefd0b4fff monitored = 0 entry_point = 0x7fefd099658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1481 start_va = 0x7feff060000 end_va = 0x7feff13afff monitored = 0 entry_point = 0x7feff080760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1482 start_va = 0x7feff1e0000 end_va = 0x7feff1fefff monitored = 0 entry_point = 0x7feff1e60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1483 start_va = 0x7feff2d0000 end_va = 0x7feff3a6fff monitored = 0 entry_point = 0x7feff2d3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1484 start_va = 0x7fefabb0000 end_va = 0x7fefabc7fff monitored = 0 entry_point = 0x7fefabb1010 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1485 start_va = 0x7fefacc0000 end_va = 0x7feface6fff monitored = 0 entry_point = 0x7fefacc98bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1486 start_va = 0x7fefed70000 end_va = 0x7fefed77fff monitored = 0 entry_point = 0x7fefed71504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1487 start_va = 0x7fefacb0000 end_va = 0x7fefacbafff monitored = 0 entry_point = 0x7fefacb1198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1488 start_va = 0x7fefb550000 end_va = 0x7fefb560fff monitored = 0 entry_point = 0x7fefb551070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1489 start_va = 0x7feff280000 end_va = 0x7feff2ccfff monitored = 0 entry_point = 0x7feff281070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1490 start_va = 0x1ed0000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 1645 start_va = 0x2070000 end_va = 0x233efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1646 start_va = 0x2430000 end_va = 0x252ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002430000" filename = "" Region: id = 1647 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 1686 start_va = 0x1ed0000 end_va = 0x1f4cfff monitored = 0 entry_point = 0x1edcec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1687 start_va = 0x1ff0000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ff0000" filename = "" Region: id = 1688 start_va = 0x1ed0000 end_va = 0x1f4cfff monitored = 0 entry_point = 0x1edcec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1689 start_va = 0x7fefd0c0000 end_va = 0x7fefd0cefff monitored = 0 entry_point = 0x7fefd0c1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2184 start_va = 0x25e0000 end_va = 0x26dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 2185 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2258 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2259 start_va = 0x7feff140000 end_va = 0x7feff1d8fff monitored = 0 entry_point = 0x7feff141c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2260 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 2261 start_va = 0x250000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 2262 start_va = 0x7fef9520000 end_va = 0x7fef952dfff monitored = 0 entry_point = 0x7fef9525500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2263 start_va = 0x7fef97c0000 end_va = 0x7fef9836fff monitored = 0 entry_point = 0x7fef97fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 2264 start_va = 0x7fefcc30000 end_va = 0x7fefcc51fff monitored = 0 entry_point = 0x7fefcc35d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2265 start_va = 0x27d0000 end_va = 0x28cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 2266 start_va = 0x7fefcac0000 end_va = 0x7fefcad7fff monitored = 0 entry_point = 0x7fefcac3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2267 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2282 start_va = 0x200000 end_va = 0x244fff monitored = 0 entry_point = 0x201064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2399 start_va = 0x200000 end_va = 0x244fff monitored = 0 entry_point = 0x201064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2400 start_va = 0x200000 end_va = 0x244fff monitored = 0 entry_point = 0x201064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2401 start_va = 0x200000 end_va = 0x244fff monitored = 0 entry_point = 0x201064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2402 start_va = 0x200000 end_va = 0x244fff monitored = 0 entry_point = 0x201064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2403 start_va = 0x7fefc7c0000 end_va = 0x7fefc806fff monitored = 0 entry_point = 0x7fefc7c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2404 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c3fff monitored = 0 entry_point = 0x7fefd1b10e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2405 start_va = 0x2940000 end_va = 0x2a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 2406 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2407 start_va = 0x2af0000 end_va = 0x2beffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002af0000" filename = "" Region: id = 2408 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2409 start_va = 0x7fef9240000 end_va = 0x7fef9252fff monitored = 0 entry_point = 0x7fef9241d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2410 start_va = 0x7fef9560000 end_va = 0x7fef9632fff monitored = 0 entry_point = 0x7fef95d8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2411 start_va = 0x7fef9530000 end_va = 0x7fef9556fff monitored = 0 entry_point = 0x7fef95311a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 2412 start_va = 0x200000 end_va = 0x202fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Thread: id = 16 os_tid = 0xbb8 [0049.716] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efdb8 | out: lpSystemTimeAsFileTime=0x1efdb8*(dwLowDateTime=0x17e5b560, dwHighDateTime=0x1d937fd)) [0049.716] GetCurrentThreadId () returned 0xbb8 [0049.716] GetCurrentProcessId () returned 0xbb4 [0049.716] QueryPerformanceCounter (in: lpPerformanceCount=0x1efdc0 | out: lpPerformanceCount=0x1efdc0*=3317423316867) returned 1 [0049.717] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0049.719] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0049.719] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0049.719] GetLastError () returned 0x7e [0049.719] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0049.720] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0049.720] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0049.721] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0049.721] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0049.721] GetProcessHeap () returned 0x250000 [0049.721] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0049.722] GetLastError () returned 0x7e [0049.722] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0049.722] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0049.722] GetLastError () returned 0x7e [0049.722] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0049.722] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0049.722] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3c8) returned 0x26cfa0 [0049.723] SetLastError (dwErrCode=0x7e) [0049.723] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1200) returned 0x26d370 [0049.725] GetStartupInfoW (in: lpStartupInfo=0x1efc90 | out: lpStartupInfo=0x1efc90*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x1efd18, hStdError=0x1)) [0049.725] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0049.725] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0049.725] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0049.725] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"0\"" [0049.725] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"0\"" [0049.725] GetACP () returned 0x4e4 [0049.725] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x228) returned 0x26ab80 [0049.725] IsValidCodePage (CodePage=0x4e4) returned 1 [0049.725] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1efc50 | out: lpCPInfo=0x1efc50) returned 1 [0049.725] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1ef4f0 | out: lpCPInfo=0x1ef4f0) returned 1 [0049.725] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ef510, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0049.725] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ef510, cbMultiByte=256, lpWideCharStr=0x1ef240, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0049.725] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x1ef810 | out: lpCharType=0x1ef810) returned 1 [0049.726] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ef510, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0049.726] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ef510, cbMultiByte=256, lpWideCharStr=0x1ef1e0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0049.726] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0049.726] GetLastError () returned 0x7e [0049.726] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0049.726] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0049.727] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1eefd0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0049.727] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x1ef610, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x80«&", lpUsedDefaultChar=0x0) returned 256 [0049.727] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ef510, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0049.727] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ef510, cbMultiByte=256, lpWideCharStr=0x1ef1e0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0049.727] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0049.727] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1eefd0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0049.727] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x1ef710, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0049.727] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x100) returned 0x26f580 [0049.727] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0049.727] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x182) returned 0x26f690 [0049.727] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0049.727] GetLastError () returned 0x0 [0049.727] SetLastError (dwErrCode=0x0) [0049.727] GetEnvironmentStringsW () returned 0x26f820* [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xb32) returned 0x270360 [0049.728] FreeEnvironmentStringsW (penv=0x26f820) returned 1 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x128) returned 0x270ea0 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3e) returned 0x26afd0 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x56) returned 0x26adb0 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x62) returned 0x26f820 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x78) returned 0x26f890 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x62) returned 0x26f910 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x30) returned 0x26e8f0 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x48) returned 0x26b020 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x28) returned 0x267990 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1a) returned 0x2679c0 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x34) returned 0x26e930 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x5c) returned 0x26f980 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x32) returned 0x26e970 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2e) returned 0x26e9b0 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1c) returned 0x2679f0 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x19c) returned 0x26f9f0 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x7c) returned 0x26fba0 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3a) returned 0x26b070 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x90) returned 0x26fc30 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x24) returned 0x267a20 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x30) returned 0x26e9f0 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x36) returned 0x26ea30 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3c) returned 0x26b0c0 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x52) returned 0x26fcd0 [0049.728] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3c) returned 0x26b110 [0049.729] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xd6) returned 0x26fd30 [0049.729] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2e) returned 0x26ea70 [0049.729] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1e) returned 0x267a50 [0049.729] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2c) returned 0x26eab0 [0049.729] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x54) returned 0x26fe10 [0049.729] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x52) returned 0x26fe70 [0049.729] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2c) returned 0x26eaf0 [0049.729] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x26) returned 0x267a80 [0049.729] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3e) returned 0x26b160 [0049.729] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x24) returned 0x267ab0 [0049.729] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x30) returned 0x26eb30 [0049.729] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x8c) returned 0x26fed0 [0049.730] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x270360 | out: hHeap=0x250000) returned 1 [0049.730] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1000) returned 0x270fd0 [0049.730] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0049.730] GetStartupInfoW (in: lpStartupInfo=0x1efd20 | out: lpStartupInfo=0x1efd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0049.730] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"0\"" [0049.730] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"0\"", pNumArgs=0x1efcf0 | out: pNumArgs=0x1efcf0) returned 0x2703f0*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0049.731] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0049.736] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x1000) returned 0x2740c0 [0049.736] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x16) returned 0x270e10 [0049.736] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Cpurthnvlc", cchWideChar=-1, lpMultiByteStr=0x270e10, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Cpurthnvlc", lpUsedDefaultChar=0x0) returned 11 [0049.736] GetLastError () returned 0x0 [0049.736] SetLastError (dwErrCode=0x0) [0049.736] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="CpurthnvlcW") returned 0x0 [0049.736] GetLastError () returned 0x7f [0049.736] SetLastError (dwErrCode=0x7f) [0049.737] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="CpurthnvlcA") returned 0x0 [0049.737] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="Cpurthnvlc") returned 0x7fef2ea5970 [0049.737] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x4) returned 0x270e30 [0049.737] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x270e30, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0049.737] GetActiveWindow () returned 0x0 [0070.971] VirtualAlloc (lpAddress=0x0, dwSize=0x7e000, flAllocationType=0x3000, flProtect=0x40) returned 0x350000 [0071.385] GetProcAddress (hModule=0x77160000, lpProcName="ExitProcess") returned 0x772a40f0 [0071.385] GetProcAddress (hModule=0x77160000, lpProcName="LoadLibraryW") returned 0x77176420 [0071.385] LoadLibraryW (lpLibFileName="ntdll.dll") returned 0x77280000 [0071.385] GetProcAddress (hModule=0x77280000, lpProcName="NtMapViewOfSection") returned 0x772d1590 [0071.385] GetProcAddress (hModule=0x77280000, lpProcName="NtOpenFile") returned 0x772d1640 [0071.385] GetProcAddress (hModule=0x77280000, lpProcName="NtOpenSection") returned 0x772d1680 [0071.386] GetProcAddress (hModule=0x77280000, lpProcName="NtCreateSection") returned 0x772d17b0 [0071.386] GetProcAddress (hModule=0x77160000, lpProcName="VirtualProtect") returned 0x771629f0 [0071.386] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentThreadId") returned 0x77173380 [0071.386] GetProcAddress (hModule=0x77160000, lpProcName="GetModuleFileNameA") returned 0x77175940 [0071.386] GetProcAddress (hModule=0x77160000, lpProcName="VirtualAlloc") returned 0x77175c40 [0071.386] GetProcAddress (hModule=0x77160000, lpProcName="GetProcessHeap") returned 0x77181a30 [0071.386] GetProcAddress (hModule=0x77160000, lpProcName="HeapAlloc") returned 0x772d33a0 [0071.386] GetProcAddress (hModule=0x77160000, lpProcName="HeapFree") returned 0x77181a50 [0071.386] GetModuleFileNameA (in: hModule=0x7fef2ea0000, lpFilename=0x1ef9f0, nSize=0x104 | out: lpFilename="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll")) returned 0x62 [0071.387] VirtualAlloc (lpAddress=0x0, dwSize=0x158000, flAllocationType=0x3000, flProtect=0x4) returned 0x1c00000 [0072.428] GetProcessHeap () returned 0x250000 [0072.428] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x3f80) returned 0x2750d0 [0073.090] GetProcessHeap () returned 0x250000 [0073.090] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2750d0 | out: hHeap=0x250000) returned 1 [0073.090] GetCurrentThreadId () returned 0xbb8 [0073.091] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ef8b4 | out: lpflOldProtect=0x1ef8b4*=0x20) returned 1 [0073.091] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ef8b4 | out: lpflOldProtect=0x1ef8b4*=0x40) returned 1 [0073.399] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ef8b4 | out: lpflOldProtect=0x1ef8b4*=0x20) returned 1 [0073.400] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ef8b4 | out: lpflOldProtect=0x1ef8b4*=0x40) returned 1 [0074.054] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ef8b4 | out: lpflOldProtect=0x1ef8b4*=0x20) returned 1 [0074.054] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ef8b4 | out: lpflOldProtect=0x1ef8b4*=0x40) returned 1 [0074.099] LoadLibraryW (lpLibFileName="gdiplus.dll") returned 0x1d60000 [0074.099] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ee724 | out: lpflOldProtect=0x1ee724*=0x20) returned 1 [0074.100] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ee724 | out: lpflOldProtect=0x1ee724*=0x40) returned 1 [0074.751] NtOpenFile (in: FileHandle=0x1ee808, DesiredAccess=0x100020, ObjectAttributes=0x1ee858*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1ee888, ShareAccess=0x3, OpenOptions=0x21 | out: FileHandle=0x1ee808*=0x70, IoStatusBlock=0x1ee888*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0074.752] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ee724 | out: lpflOldProtect=0x1ee724*=0x20) returned 1 [0074.753] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ee724 | out: lpflOldProtect=0x1ee724*=0x40) returned 1 [0075.017] GetCurrentThreadId () returned 0xbb8 [0075.017] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ef3f4 | out: lpflOldProtect=0x1ef3f4*=0x20) returned 1 [0075.017] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ef3f4 | out: lpflOldProtect=0x1ef3f4*=0x40) returned 1 [0075.274] NtOpenFile (in: FileHandle=0x1ef4c0, DesiredAccess=0x100021, ObjectAttributes=0x1ef578*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1ef5a8, ShareAccess=0x5, OpenOptions=0x60 | out: FileHandle=0x1ef4c0*=0x74, IoStatusBlock=0x1ef5a8*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0075.274] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ef3e4 | out: lpflOldProtect=0x1ef3e4*=0x20) returned 1 [0075.274] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ef3e4 | out: lpflOldProtect=0x1ef3e4*=0x40) returned 1 [0075.553] GetCurrentThreadId () returned 0xbb8 [0075.553] NtCreateSection (in: SectionHandle=0x1ef4c8, DesiredAccess=0xf, ObjectAttributes=0x0, MaximumSize=0x0, SectionPageProtection=0x10, AllocationAttributes=0x1000000, FileHandle=0x74 | out: SectionHandle=0x1ef4c8*=0x78) returned 0x0 [0075.554] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ef274 | out: lpflOldProtect=0x1ef274*=0x20) returned 1 [0075.554] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ef274 | out: lpflOldProtect=0x1ef274*=0x40) returned 1 [0075.814] GetCurrentThreadId () returned 0xbb8 [0075.814] NtCreateSection (in: SectionHandle=0x1ef358, DesiredAccess=0xe, ObjectAttributes=0x0, MaximumSize=0x1ef350, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x1ef358*=0x7c) returned 0x0 [0075.814] NtMapViewOfSection (in: SectionHandle=0x7c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1ef2f8*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x1ef518*=0x0, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x1ef2f8*=0x1d60000, SectionOffset=0x0, ViewSize=0x1ef518*=0x161000) returned 0x0 [0076.582] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ef3f8 | out: lpSystemTimeAsFileTime=0x1ef3f8*(dwLowDateTime=0x273fa3e0, dwHighDateTime=0x1d937fd)) [0076.582] GetCurrentThreadId () returned 0xbb8 [0076.582] GetCurrentProcessId () returned 0xbb4 [0076.582] QueryPerformanceCounter (in: lpPerformanceCount=0x1ef400 | out: lpPerformanceCount=0x1ef400*=3320703438998) returned 1 [0077.307] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0077.307] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0077.307] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0077.307] GetLastError () returned 0x7e [0077.307] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0077.307] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0077.517] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0077.742] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0077.743] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0077.765] GetProcessHeap () returned 0x250000 [0077.985] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0077.986] GetLastError () returned 0x7e [0077.986] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0077.986] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0077.986] GetLastError () returned 0x7e [0077.986] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0078.267] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3c8) returned 0x281aa0 [0078.268] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0078.485] SetLastError (dwErrCode=0x7e) [0078.508] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1000) returned 0x281e70 [0078.509] GetStartupInfoW (in: lpStartupInfo=0x1ef280 | out: lpStartupInfo=0x1ef280*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x1)) [0078.509] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0078.509] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0078.510] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0078.746] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"0\"" [0078.746] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"0\"" [0078.771] GetLastError () returned 0x7e [0078.771] SetLastError (dwErrCode=0x7e) [0078.771] GetLastError () returned 0x7e [0078.771] SetLastError (dwErrCode=0x7e) [0078.771] GetACP () returned 0x4e4 [0078.771] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x228) returned 0x283e80 [0078.772] IsValidCodePage (CodePage=0x4e4) returned 1 [0078.772] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1ef250 | out: lpCPInfo=0x1ef250) returned 1 [0078.779] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1eeaf0 | out: lpCPInfo=0x1eeaf0) returned 1 [0078.779] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1eeb10, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0078.779] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1eeb10, cbMultiByte=256, lpWideCharStr=0x1ee840, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ%") returned 256 [0078.779] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ%", cchSrc=256, lpCharType=0x1eee10 | out: lpCharType=0x1eee10) returned 1 [0079.000] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1eeb10, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0079.000] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1eeb10, cbMultiByte=256, lpWideCharStr=0x1ee7e0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0079.000] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0079.000] GetLastError () returned 0x7e [0079.000] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0079.001] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0079.001] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ee5d0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0079.001] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x1eec10, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿP\x0e'", lpUsedDefaultChar=0x0) returned 256 [0079.001] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1eeb10, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0079.001] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1eeb10, cbMultiByte=256, lpWideCharStr=0x1ee7e0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0079.001] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0079.001] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ee5d0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0079.001] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x1eed10, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0079.001] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x100) returned 0x2840b0 [0079.001] RtlInitializeSListHead (in: ListHead=0x1ea8410 | out: ListHead=0x1ea8410) [0080.210] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77160000 [0080.210] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0080.210] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0080.211] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0080.211] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0080.211] GetProcAddress (hModule=0x77160000, lpProcName="InitializeCriticalSectionEx") returned 0x77176e50 [0080.211] GetProcAddress (hModule=0x77160000, lpProcName="InitOnceExecuteOnce") returned 0x77165d60 [0080.211] GetProcAddress (hModule=0x77160000, lpProcName="CreateEventExW") returned 0x771ac970 [0080.211] GetProcAddress (hModule=0x77160000, lpProcName="CreateSemaphoreW") returned 0x77168e00 [0080.211] GetProcAddress (hModule=0x77160000, lpProcName="CreateSemaphoreExW") returned 0x771ac8a0 [0080.211] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolTimer") returned 0x77167e90 [0080.211] GetProcAddress (hModule=0x77160000, lpProcName="SetThreadpoolTimer") returned 0x7729b2f0 [0080.211] GetProcAddress (hModule=0x77160000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x7728d8c0 [0080.211] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolTimer") returned 0x7728d620 [0080.212] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolWait") returned 0x771abe60 [0080.212] GetProcAddress (hModule=0x77160000, lpProcName="SetThreadpoolWait") returned 0x7729e170 [0080.212] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolWait") returned 0x7728c540 [0080.212] GetProcAddress (hModule=0x77160000, lpProcName="FlushProcessWriteBuffers") returned 0x772d1f80 [0080.212] GetProcAddress (hModule=0x77160000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x7734ec60 [0080.212] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentProcessorNumber") returned 0x772d0040 [0080.212] GetProcAddress (hModule=0x77160000, lpProcName="CreateSymbolicLinkW") returned 0x771d5af0 [0080.212] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentPackageId") returned 0x0 [0080.213] GetProcAddress (hModule=0x77160000, lpProcName="GetTickCount64") returned 0x77168ac0 [0080.213] GetProcAddress (hModule=0x77160000, lpProcName="GetFileInformationByHandleEx") returned 0x771712f0 [0080.213] GetProcAddress (hModule=0x77160000, lpProcName="SetFileInformationByHandle") returned 0x771ac120 [0080.213] GetProcAddress (hModule=0x77160000, lpProcName="GetSystemTimePreciseAsFileTime") returned 0x0 [0080.213] GetProcAddress (hModule=0x77160000, lpProcName="InitializeConditionVariable") returned 0x772b84f0 [0080.213] GetProcAddress (hModule=0x77160000, lpProcName="WakeConditionVariable") returned 0x7733bab0 [0080.213] GetProcAddress (hModule=0x77160000, lpProcName="WakeAllConditionVariable") returned 0x772a00b0 [0080.213] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableCS") returned 0x771ab610 [0080.213] GetProcAddress (hModule=0x77160000, lpProcName="InitializeSRWLock") returned 0x772b84f0 [0080.213] GetProcAddress (hModule=0x77160000, lpProcName="AcquireSRWLockExclusive") returned 0x772a8020 [0080.214] GetProcAddress (hModule=0x77160000, lpProcName="TryAcquireSRWLockExclusive") returned 0x7732bdd0 [0080.214] GetProcAddress (hModule=0x77160000, lpProcName="ReleaseSRWLockExclusive") returned 0x772a8050 [0080.214] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableSRW") returned 0x771ab5c0 [0080.214] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolWork") returned 0x77165d30 [0080.214] GetProcAddress (hModule=0x77160000, lpProcName="SubmitThreadpoolWork") returned 0x77292330 [0080.214] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolWork") returned 0x772921f0 [0080.214] GetProcAddress (hModule=0x77160000, lpProcName="CompareStringEx") returned 0x771abd60 [0080.214] GetProcAddress (hModule=0x77160000, lpProcName="GetLocaleInfoEx") returned 0x771635e0 [0080.214] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0080.242] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77160000 [0080.243] GetProcAddress (hModule=0x77160000, lpProcName="InitializeConditionVariable") returned 0x772b84f0 [0080.243] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableCS") returned 0x771ab610 [0080.243] GetProcAddress (hModule=0x77160000, lpProcName="WakeAllConditionVariable") returned 0x772a00b0 [0080.243] RtlInitializeConditionVariable () returned 0x772a00b0 [0080.739] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1000) returned 0x2841c0 [0082.017] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x1ea8fb0, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0082.239] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xd5) returned 0x2851d0 [0082.240] GetEnvironmentStringsW () returned 0x2852b0* [0082.240] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1433, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1433 [0082.240] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x599) returned 0x285df0 [0082.240] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1433, lpMultiByteStr=0x285df0, cbMultiByte=1433, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1433 [0082.240] FreeEnvironmentStringsW (penv=0x2852b0) returned 1 [0082.240] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x128) returned 0x2852b0 [0082.240] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1f) returned 0x275c70 [0082.254] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2b) returned 0x283770 [0082.254] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x31) returned 0x2837b0 [0082.254] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3c) returned 0x2800e0 [0082.254] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x31) returned 0x2837f0 [0082.254] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x18) returned 0x270e50 [0082.254] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x24) returned 0x275ca0 [0082.254] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x14) returned 0x270e70 [0082.254] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xd) returned 0x2853e0 [0082.254] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1a) returned 0x275cd0 [0082.254] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2e) returned 0x283830 [0082.254] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x19) returned 0x275d00 [0082.254] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x17) returned 0x285400 [0082.254] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xe) returned 0x285420 [0082.254] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xce) returned 0x285440 [0082.254] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3e) returned 0x280130 [0082.254] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1d) returned 0x275d30 [0082.254] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x48) returned 0x280180 [0082.255] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x12) returned 0x285520 [0082.255] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x18) returned 0x285540 [0082.255] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1b) returned 0x275d60 [0082.255] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1e) returned 0x275d90 [0082.255] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x29) returned 0x283870 [0082.255] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1e) returned 0x275dc0 [0082.255] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x6b) returned 0x27bde0 [0082.255] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x17) returned 0x285560 [0082.255] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xf) returned 0x285580 [0082.255] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x16) returned 0x2855d0 [0082.255] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2a) returned 0x2838b0 [0082.255] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x29) returned 0x2838f0 [0082.255] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x16) returned 0x2855f0 [0082.255] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x13) returned 0x285610 [0082.255] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1f) returned 0x275df0 [0082.255] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x12) returned 0x285630 [0082.255] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x18) returned 0x285650 [0082.256] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x46) returned 0x2801d0 [0082.256] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285df0 | out: hHeap=0x250000) returned 1 [0082.703] GetCurrentThread () returned 0xfffffffffffffffe [0082.703] GetThreadTimes (in: hThread=0xfffffffffffffffe, lpCreationTime=0x1ef338, lpExitTime=0x1ef330, lpKernelTime=0x1ef330, lpUserTime=0x1ef330 | out: lpCreationTime=0x1ef338, lpExitTime=0x1ef330, lpKernelTime=0x1ef330, lpUserTime=0x1ef330) returned 1 [0082.703] RtlInitializeSListHead (in: ListHead=0x1ea8aa0 | out: ListHead=0x1ea8aa0) [0082.901] RtlPcToFileHeader (in: PcValue=0x1e8fef8, BaseOfImage=0x1ef260 | out: BaseOfImage=0x1ef260*=0x1d60000) returned 0x1d60000 [0083.104] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x50) returned 0x285da0 [0083.104] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x98 [0083.137] RtlWakeAllConditionVariable () returned 0x772a00b0 [0083.316] RtlWakeAllConditionVariable () returned 0x772a00b0 [0083.317] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x1ef1b0 | out: lpWSAData=0x1ef1b0) returned 0 [0083.331] RtlWakeAllConditionVariable () returned 0x772a00b0 [0083.331] RtlWakeAllConditionVariable () returned 0x772a00b0 [0083.529] RtlSizeHeap (HeapHandle=0x250000, Flags=0x0, MemoryPointer=0x2840b0) returned 0x100 [0083.529] RtlReAllocateHeap (Heap=0x250000, Flags=0x0, Ptr=0x2840b0, Size=0x200) returned 0x2861d0 [0083.551] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77280000 [0083.551] GetProcAddress (hModule=0x77280000, lpProcName="NtCreateThreadEx") returned 0x772d1d90 [0083.552] GetProcAddress (hModule=0x77280000, lpProcName="RtlNewSecurityObjectWithMultipleInheritance") returned 0x77364540 [0083.552] GetCurrentProcess () returned 0xffffffffffffffff [0083.552] NtCreateThreadEx (in: ThreadHandle=0x1ea9890, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffffffffffff, lpStartAddress=0x77364540, lpParameter=0x0, CreateSuspended=1, StackZeroBits=0x0, SizeOfStackCommit=0x0, SizeOfStackReserve=0x0, lpBytesBuffer=0x0 | out: ThreadHandle=0x1ea9890*=0xb0, lpBytesBuffer=0x0) returned 0x0 [0083.555] GetThreadContext (in: hThread=0xb0, lpContext=0x1eeee0 | out: lpContext=0x1eeee0*(P1Home=0x2861a0, P2Home=0x30, P3Home=0x10, P4Home=0x7fefd4d30f5, P5Home=0x21, P6Home=0x0, ContextFlags=0x10000b, MxCsr=0x1f80, SegCs=0x33, SegDs=0x28, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x200, Dr0=0x0, Dr1=0x2840b0, Dr2=0x772d3488, Dr3=0x250230, Dr6=0x250388, Dr7=0xe00fa0001, Rax=0x0, Rcx=0x77364540, Rdx=0x0, Rbx=0x0, Rsp=0x252ffb8, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x772ac500, FltSave.ControlWord=0x27f, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x1f80, FltSave.MxCsr_Mask=0xffff, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x27f, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0x2840b0, VectorRegister.High=0x2840b0, VectorControl=0x0, DebugControl=0x1de7129, LastBranchToRip=0x0, LastBranchFromRip=0x1ef898, LastExceptionToRip=0x0, LastExceptionFromRip=0x1)) returned 1 [0083.703] SetThreadContext (hThread=0xb0, lpContext=0x1eeee0*(P1Home=0x2861a0, P2Home=0x30, P3Home=0x10, P4Home=0x7fefd4d30f5, P5Home=0x21, P6Home=0x0, ContextFlags=0x10000b, MxCsr=0x1f80, SegCs=0x33, SegDs=0x28, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x200, Dr0=0x0, Dr1=0x2840b0, Dr2=0x772d3488, Dr3=0x250230, Dr6=0x250388, Dr7=0xe00fa0001, Rax=0x0, Rcx=0x1d7365c, Rdx=0x0, Rbx=0x0, Rsp=0x252ffb8, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x772ac500, FltSave.ControlWord=0x27f, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x1f80, FltSave.MxCsr_Mask=0xffff, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x27f, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0x2840b0, VectorRegister.High=0x2840b0, VectorControl=0x0, DebugControl=0x1de7129, LastBranchToRip=0x0, LastBranchFromRip=0x1ef898, LastExceptionToRip=0x0, LastExceptionFromRip=0x1)) returned 1 [0083.703] ResumeThread (hThread=0xb0) returned 0x1 [0083.710] GetProcAddress (hModule=0x1d60000, lpProcName="setPath") returned 0x1d74604 [0083.711] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x70) returned 0x27be60 [0083.711] SetEvent (hEvent=0x98) returned 1 [0083.731] WaitForSingleObject (hHandle=0xb0, dwMilliseconds=0xffffffff) returned 0x0 [0108.963] RtlExitUserProcess (ExitCode=0x0) [0108.969] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26cfa0 | out: hHeap=0x250000) returned 1 [0109.899] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x281aa0 | out: hHeap=0x250000) returned 1 [0110.881] WSACleanup () returned 0 [0111.694] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x27be60 | out: hHeap=0x250000) returned 1 [0111.694] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285da0 | out: hHeap=0x250000) returned 1 [0111.721] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x289570 | out: hHeap=0x250000) returned 1 [0111.721] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2882e0 | out: hHeap=0x250000) returned 1 [0111.722] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285690 | out: hHeap=0x250000) returned 1 [0111.722] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x284110 | out: hHeap=0x250000) returned 1 [0111.722] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x283e30 | out: hHeap=0x250000) returned 1 [0111.735] RtlInterlockedFlushSList (in: ListHead=0x1ea8410 | out: ListHead=0x1ea8410) returned 0x0 [0111.736] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2861d0 | out: hHeap=0x250000) returned 1 [0111.787] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2841c0 | out: hHeap=0x250000) returned 1 [0111.787] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0111.788] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2a0d90 | out: hHeap=0x250000) returned 1 [0111.788] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2b9140 | out: hHeap=0x250000) returned 1 [0111.788] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x284130 | out: hHeap=0x250000) returned 1 [0111.789] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2892b0 | out: hHeap=0x250000) returned 1 [0111.789] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2b9930 | out: hHeap=0x250000) returned 1 [0111.802] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0111.803] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x27bfe0 | out: hHeap=0x250000) returned 1 [0111.804] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x27c0e0 | out: hHeap=0x250000) returned 1 [0111.804] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x27c1e0 | out: hHeap=0x250000) returned 1 [0112.194] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275c70 | out: hHeap=0x250000) returned 1 [0112.197] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x283770 | out: hHeap=0x250000) returned 1 [0112.198] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2837b0 | out: hHeap=0x250000) returned 1 [0112.198] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2800e0 | out: hHeap=0x250000) returned 1 [0112.199] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2837f0 | out: hHeap=0x250000) returned 1 [0112.199] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x270e50 | out: hHeap=0x250000) returned 1 [0112.199] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275ca0 | out: hHeap=0x250000) returned 1 [0112.199] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x270e70 | out: hHeap=0x250000) returned 1 [0112.199] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2853e0 | out: hHeap=0x250000) returned 1 [0112.199] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275cd0 | out: hHeap=0x250000) returned 1 [0112.200] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x283830 | out: hHeap=0x250000) returned 1 [0112.200] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275d00 | out: hHeap=0x250000) returned 1 [0112.200] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285400 | out: hHeap=0x250000) returned 1 [0112.200] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285420 | out: hHeap=0x250000) returned 1 [0112.200] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285440 | out: hHeap=0x250000) returned 1 [0112.201] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280130 | out: hHeap=0x250000) returned 1 [0112.201] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275d30 | out: hHeap=0x250000) returned 1 [0112.201] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280180 | out: hHeap=0x250000) returned 1 [0112.201] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285520 | out: hHeap=0x250000) returned 1 [0112.201] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285540 | out: hHeap=0x250000) returned 1 [0112.201] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275d60 | out: hHeap=0x250000) returned 1 [0112.201] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275d90 | out: hHeap=0x250000) returned 1 [0112.202] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x283870 | out: hHeap=0x250000) returned 1 [0112.202] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275dc0 | out: hHeap=0x250000) returned 1 [0112.202] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x27bde0 | out: hHeap=0x250000) returned 1 [0112.202] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285560 | out: hHeap=0x250000) returned 1 [0112.202] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285580 | out: hHeap=0x250000) returned 1 [0112.202] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2855d0 | out: hHeap=0x250000) returned 1 [0112.202] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2838b0 | out: hHeap=0x250000) returned 1 [0112.203] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2838f0 | out: hHeap=0x250000) returned 1 [0112.203] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2855f0 | out: hHeap=0x250000) returned 1 [0112.203] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285610 | out: hHeap=0x250000) returned 1 [0112.203] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275df0 | out: hHeap=0x250000) returned 1 [0112.203] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285630 | out: hHeap=0x250000) returned 1 [0112.203] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285650 | out: hHeap=0x250000) returned 1 [0112.203] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2801d0 | out: hHeap=0x250000) returned 1 [0112.204] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2852b0 | out: hHeap=0x250000) returned 1 [0112.204] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x283e80 | out: hHeap=0x250000) returned 1 [0112.205] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2851d0 | out: hHeap=0x250000) returned 1 [0112.434] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x281e70 | out: hHeap=0x250000) returned 1 [0112.435] FreeLibrary (hLibModule=0x7fefa010000) returned 1 [0112.435] FreeLibrary (hLibModule=0x77160000) returned 1 [0112.451] FreeLibrary (hLibModule=0x7fefa010000) returned 1 [0112.451] FreeLibrary (hLibModule=0x77160000) returned 1 Thread: id = 61 os_tid = 0xb2c [0083.733] GetLastError () returned 0x57 [0083.733] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0083.733] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x78) returned 0x27bee0 [0083.734] SetLastError (dwErrCode=0x57) [0083.734] GetLastError () returned 0x57 [0083.734] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3c8) returned 0x287c70 [0083.734] SetLastError (dwErrCode=0x57) [0083.753] LoadLibraryExW (lpLibFileName="api-ms-win-core-sysinfo-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0083.755] GetLastError () returned 0x7e [0083.755] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x252fa40 | out: lpSystemTimeAsFileTime=0x252fa40*(dwLowDateTime=0x2a337810, dwHighDateTime=0x1d937fd)) [0083.756] GetLastError () returned 0x7e [0083.756] SetLastError (dwErrCode=0x7e) [0083.756] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0083.756] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x70) returned 0x27bf60 [0083.972] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x260) returned 0x288040 [0084.410] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0084.410] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x38) returned 0x283e30 [0084.422] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x2) returned 0x284110 [0084.423] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x284110 | out: hHeap=0x250000) returned 1 [0084.423] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x2) returned 0x284110 [0084.423] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x30) returned 0x2882e0 [0084.590] GetLastError () returned 0x7e [0084.590] SetLastError (dwErrCode=0x7e) [0084.590] GetLastError () returned 0x7e [0084.590] SetLastError (dwErrCode=0x7e) [0084.604] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x158) returned 0x2892b0 [0084.604] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6a6) returned 0x289410 [0084.605] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x289410 | out: hHeap=0x250000) returned 1 [0084.605] GetLastError () returned 0x7e [0084.605] SetLastError (dwErrCode=0x7e) [0084.618] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6) returned 0x284130 [0084.618] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x2) returned 0x284150 [0084.756] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x4) returned 0x284170 [0084.756] GetLastError () returned 0x7e [0084.756] SetLastError (dwErrCode=0x7e) [0084.756] GetLastError () returned 0x7e [0084.756] SetLastError (dwErrCode=0x7e) [0084.756] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x158) returned 0x289410 [0084.756] GetLastError () returned 0x7e [0084.756] SetLastError (dwErrCode=0x7e) [0084.768] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6a6) returned 0x289570 [0084.769] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x289570 | out: hHeap=0x250000) returned 1 [0084.769] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x284130 | out: hHeap=0x250000) returned 1 [0084.769] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2892b0 | out: hHeap=0x250000) returned 1 [0084.769] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x284170 | out: hHeap=0x250000) returned 1 [0084.769] GetLastError () returned 0x7e [0084.770] SetLastError (dwErrCode=0x7e) [0084.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6) returned 0x284130 [0084.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x2) returned 0x284170 [0084.770] GetLastError () returned 0x7e [0084.770] SetLastError (dwErrCode=0x7e) [0084.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x200) returned 0x289570 [0084.770] GetLastError () returned 0x7e [0084.770] SetLastError (dwErrCode=0x7e) [0084.770] GetLastError () returned 0x7e [0084.770] SetLastError (dwErrCode=0x7e) [0084.770] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x4) returned 0x284190 [0084.770] GetLastError () returned 0x7e [0084.770] SetLastError (dwErrCode=0x7e) [0084.770] GetLastError () returned 0x7e [0084.770] SetLastError (dwErrCode=0x7e) [0084.771] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x158) returned 0x2892b0 [0084.771] GetLastError () returned 0x7e [0084.771] SetLastError (dwErrCode=0x7e) [0084.771] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6a6) returned 0x289780 [0084.771] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x289780 | out: hHeap=0x250000) returned 1 [0084.771] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x284130 | out: hHeap=0x250000) returned 1 [0084.772] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x289410 | out: hHeap=0x250000) returned 1 [0084.772] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x284190 | out: hHeap=0x250000) returned 1 [0084.772] GetLastError () returned 0x7e [0084.772] SetLastError (dwErrCode=0x7e) [0084.772] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6) returned 0x284130 [0084.772] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x284170 | out: hHeap=0x250000) returned 1 [0084.772] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x284150 | out: hHeap=0x250000) returned 1 [0084.772] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285690 [0084.772] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0084.772] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x25a) returned 0x289780 [0084.935] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0084.952] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275eb0 [0084.952] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275ee0 [0084.952] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0084.953] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275eb0 | out: hHeap=0x250000) returned 1 [0084.953] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275eb0 [0084.953] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x60) returned 0x27d600 [0084.953] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0084.953] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x80) returned 0x289410 [0084.954] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x27d600 | out: hHeap=0x250000) returned 1 [0084.955] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275f10 [0084.955] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xc0) returned 0x2894a0 [0084.956] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x289410 | out: hHeap=0x250000) returned 1 [0084.956] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275f40 [0084.956] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275f70 [0084.956] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x120) returned 0x2899f0 [0084.956] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2894a0 | out: hHeap=0x250000) returned 1 [0084.956] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275fa0 [0084.956] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275fd0 [0084.956] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x1a0) returned 0x289b20 [0084.957] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2899f0 | out: hHeap=0x250000) returned 1 [0084.957] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x276000 [0084.957] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x276030 [0084.957] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x276060 [0084.957] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x276090 [0084.957] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x260) returned 0x289cd0 [0084.957] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x289b20 | out: hHeap=0x250000) returned 1 [0084.957] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x2760c0 [0084.957] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x2760f0 [0084.957] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x276120 [0084.957] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x276150 [0084.957] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x276180 [0084.958] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x289f70 [0084.958] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x380) returned 0x28ab40 [0084.958] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x289cd0 | out: hHeap=0x250000) returned 1 [0084.958] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x289fa0 [0084.958] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x289fd0 [0084.958] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x28a000 [0084.958] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x28a030 [0084.959] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x28a060 [0084.959] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x28a090 [0084.959] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x28a0c0 [0084.959] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x28a0f0 [0084.959] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x28a120 [0084.959] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x540) returned 0x2899f0 [0084.959] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x28ab40 | out: hHeap=0x250000) returned 1 [0084.959] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x28a150 [0084.959] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x28a180 [0084.959] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x28a1b0 [0084.959] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x28a1e0 [0084.959] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x28a210 [0084.960] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0084.960] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x289780 | out: hHeap=0x250000) returned 1 [0084.960] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0084.960] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0084.960] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0084.960] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0084.960] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x12) returned 0x2856d0 [0084.960] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0084.960] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0084.960] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0084.960] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0084.960] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0084.961] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0084.961] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280270 [0084.961] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0084.961] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0084.961] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0084.961] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x11) returned 0x2856d0 [0084.961] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0084.962] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0084.962] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0084.962] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0084.962] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0084.962] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0084.962] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x80) returned 0x289410 [0084.962] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280270 | out: hHeap=0x250000) returned 1 [0084.963] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0084.963] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0084.963] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0084.963] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xf) returned 0x2856d0 [0084.963] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0084.963] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0084.964] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0084.964] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0084.964] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0084.964] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0084.964] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xc0) returned 0x2894a0 [0084.964] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x289410 | out: hHeap=0x250000) returned 1 [0084.965] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0084.965] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0084.965] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0084.965] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856d0 [0084.965] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0084.965] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0084.966] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0084.966] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0084.966] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0084.966] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0084.966] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x100) returned 0x289780 [0084.966] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2894a0 | out: hHeap=0x250000) returned 1 [0084.966] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0084.966] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0084.967] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0084.967] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x13) returned 0x2856d0 [0084.967] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0084.967] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0084.967] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0084.967] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0084.967] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0084.967] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0084.967] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x180) returned 0x28ab40 [0084.968] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x289780 | out: hHeap=0x250000) returned 1 [0085.778] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.223] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.455] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.455] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x12) returned 0x2856d0 [0086.484] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.484] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.485] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.485] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.485] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.485] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.485] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.485] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.485] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.485] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856d0 [0086.485] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.485] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.486] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.486] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.486] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.486] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.486] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x240) returned 0x289780 [0086.487] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x28ab40 | out: hHeap=0x250000) returned 1 [0086.488] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.488] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.488] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.488] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xe) returned 0x2856d0 [0086.488] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.488] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.488] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.489] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.489] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.668] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.668] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.668] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.669] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.669] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x12) returned 0x2856d0 [0086.669] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.669] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.669] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.669] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.669] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.669] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.669] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.670] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.670] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.670] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x11) returned 0x2856d0 [0086.670] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.670] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.671] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.671] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.671] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.671] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.671] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x340) returned 0x28ab40 [0086.671] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x289780 | out: hHeap=0x250000) returned 1 [0086.671] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.671] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.671] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x13) returned 0x2856d0 [0086.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.672] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.672] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.672] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.672] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.672] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.673] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x12) returned 0x2856d0 [0086.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.673] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.674] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.674] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.674] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.674] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.674] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.674] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.675] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.675] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x13) returned 0x2856d0 [0086.675] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.675] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.675] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.675] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.675] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.675] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.676] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.676] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.676] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.677] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x12) returned 0x2856d0 [0086.677] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.677] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.677] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.677] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.677] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.677] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.677] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x4c0) returned 0x28ae90 [0086.678] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x28ab40 | out: hHeap=0x250000) returned 1 [0086.679] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.679] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.679] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.679] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x11) returned 0x2856d0 [0086.679] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.680] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.680] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.680] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.680] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.681] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.681] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.681] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.681] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.682] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x12) returned 0x2856d0 [0086.682] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.682] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.682] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.682] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.683] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.683] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.683] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.683] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.683] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.684] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856d0 [0086.684] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.684] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.684] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.684] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.684] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.684] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.684] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.685] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.685] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.685] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856d0 [0086.685] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.685] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.685] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.685] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.685] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.685] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.686] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.686] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.686] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.686] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x11) returned 0x2856d0 [0086.686] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.686] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.687] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.687] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.687] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.687] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.687] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.687] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.687] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.687] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x11) returned 0x2856d0 [0086.688] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.688] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.688] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.688] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.688] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.688] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.688] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x700) returned 0x28b360 [0086.689] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x28ae90 | out: hHeap=0x250000) returned 1 [0086.689] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.689] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.689] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.689] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x12) returned 0x2856d0 [0086.689] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.689] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.690] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.690] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.690] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.690] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.691] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.691] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.691] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.691] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x11) returned 0x2856d0 [0086.691] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.691] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.691] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.691] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.691] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.691] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.692] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.693] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.693] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.693] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x11) returned 0x2856d0 [0086.693] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.693] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.693] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.693] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.693] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.693] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.694] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.694] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.695] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.696] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x12) returned 0x2856d0 [0086.696] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.696] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.696] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.696] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.696] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.696] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.697] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.697] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.697] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.697] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x11) returned 0x2856d0 [0086.697] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.697] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.698] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.698] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.698] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.698] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.699] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.699] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.699] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.699] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856d0 [0086.699] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.699] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.700] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.700] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.700] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.700] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.700] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.700] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.847] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.847] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x12) returned 0x2856d0 [0086.847] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.847] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.848] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.848] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.848] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.848] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.848] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.848] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.848] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.848] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x11) returned 0x2856d0 [0086.848] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.849] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.849] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.849] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.849] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.849] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.849] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.849] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.850] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.850] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x13) returned 0x2856d0 [0086.850] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.850] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.850] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.850] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.850] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.850] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.851] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xa80) returned 0x28ba70 [0086.851] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x28b360 | out: hHeap=0x250000) returned 1 [0086.852] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.852] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.852] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.852] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856d0 [0086.852] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.852] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.853] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.853] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.853] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.853] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.853] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.854] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.854] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.854] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x11) returned 0x2856d0 [0086.854] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.854] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.854] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.854] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.854] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.854] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.855] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.855] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.855] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.855] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x13) returned 0x2856d0 [0086.855] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.855] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.856] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.856] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.856] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.856] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.856] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.856] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x285670 [0086.856] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x10) returned 0x2856b0 [0086.856] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x12) returned 0x2856d0 [0086.856] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x275e80 [0086.856] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x40) returned 0x280220 [0086.857] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275e80 | out: hHeap=0x250000) returned 1 [0086.857] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856d0 | out: hHeap=0x250000) returned 1 [0086.857] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2856b0 | out: hHeap=0x250000) returned 1 [0086.857] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285670 | out: hHeap=0x250000) returned 1 [0086.857] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x280220 | out: hHeap=0x250000) returned 1 [0086.858] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275ee0 | out: hHeap=0x250000) returned 1 [0086.858] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275eb0 | out: hHeap=0x250000) returned 1 [0086.858] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275f10 | out: hHeap=0x250000) returned 1 [0086.858] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275f40 | out: hHeap=0x250000) returned 1 [0086.859] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275f70 | out: hHeap=0x250000) returned 1 [0086.859] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275fa0 | out: hHeap=0x250000) returned 1 [0086.859] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x275fd0 | out: hHeap=0x250000) returned 1 [0086.860] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x276000 | out: hHeap=0x250000) returned 1 [0086.860] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x276030 | out: hHeap=0x250000) returned 1 [0086.860] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x276060 | out: hHeap=0x250000) returned 1 [0086.861] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x276090 | out: hHeap=0x250000) returned 1 [0086.861] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2760c0 | out: hHeap=0x250000) returned 1 [0086.861] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2760f0 | out: hHeap=0x250000) returned 1 [0086.862] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x276120 | out: hHeap=0x250000) returned 1 [0086.862] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x276150 | out: hHeap=0x250000) returned 1 [0086.863] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x276180 | out: hHeap=0x250000) returned 1 [0086.863] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x289f70 | out: hHeap=0x250000) returned 1 [0086.863] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x289fa0 | out: hHeap=0x250000) returned 1 [0086.864] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x289fd0 | out: hHeap=0x250000) returned 1 [0086.864] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x28a000 | out: hHeap=0x250000) returned 1 [0086.864] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x28a030 | out: hHeap=0x250000) returned 1 [0086.865] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x28a060 | out: hHeap=0x250000) returned 1 [0086.865] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x28a090 | out: hHeap=0x250000) returned 1 [0086.866] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x28a0c0 | out: hHeap=0x250000) returned 1 [0086.866] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x28a0f0 | out: hHeap=0x250000) returned 1 [0086.866] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x28a120 | out: hHeap=0x250000) returned 1 [0086.866] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x28a150 | out: hHeap=0x250000) returned 1 [0086.867] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x28a180 | out: hHeap=0x250000) returned 1 [0086.869] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x28a1b0 | out: hHeap=0x250000) returned 1 [0086.869] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x28a1e0 | out: hHeap=0x250000) returned 1 [0086.869] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x28a210 | out: hHeap=0x250000) returned 1 [0086.870] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2899f0 | out: hHeap=0x250000) returned 1 [0087.061] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x288040 | out: hHeap=0x250000) returned 1 [0087.080] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0087.113] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0092.985] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77280000 [0092.985] GetProcAddress (hModule=0x77280000, lpProcName="ZwAllocateVirtualMemory") returned 0x772d1490 [0092.985] GetProcAddress (hModule=0x77280000, lpProcName="ZwWriteVirtualMemory") returned 0x772d16b0 [0092.986] GetProcAddress (hModule=0x77280000, lpProcName="ZwReadVirtualMemory") returned 0x772d1700 [0092.986] GetProcAddress (hModule=0x77280000, lpProcName="ZwGetContextThread") returned 0x772d1fe0 [0092.986] GetProcAddress (hModule=0x77280000, lpProcName="ZwSetContextThread") returned 0x772d2840 [0093.906] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x30) returned 0x2984c0 [0094.097] CoCreateInstance (in: rclsid=0x1e457e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1e457f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x252f8f0 | out: ppv=0x252f8f0*=0x2859f0) returned 0x0 [0094.119] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2859f0, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x252f8e8 | out: ppNamespace=0x252f8e8*=0x2b2290) returned 0x0 [0096.805] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x7fefd730000 [0096.833] GetProcAddress (hModule=0x7fefd730000, lpProcName="CoSetProxyBlanket") returned 0x7fefd76bf00 [0096.833] CoSetProxyBlanket (pProxy=0x2b2290, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0096.846] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x18) returned 0x285cf0 [0096.859] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2984c0, cbMultiByte=35, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 35 [0096.859] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2984c0, cbMultiByte=35, lpWideCharStr=0x252f7e0, cchWideChar=35 | out: lpWideCharStr="SELECT * FROM Win32_ComputerSystem") returned 35 [0096.859] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x18) returned 0x285d10 [0096.859] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e5b258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0096.859] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e5b258, cbMultiByte=4, lpWideCharStr=0x252f820, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0096.859] IWbemServices:ExecQuery (in: This=0x2b2290, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystem", lFlags=48, pCtx=0x0, ppEnum=0x252f8f8 | out: ppEnum=0x252f8f8*=0x2ba780) returned 0x0 [0097.037] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285d10 | out: hHeap=0x250000) returned 1 [0097.038] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x285cf0 | out: hHeap=0x250000) returned 1 [0097.038] IEnumWbemClassObject:Next (in: This=0x2ba780, lTimeout=-1, uCount=0x1, apObjects=0x252f900, puReturned=0x252fa18 | out: apObjects=0x252f900*=0x2be590, puReturned=0x252fa18*=0x1) returned 0x0 [0097.573] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x252fa50, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0097.908] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x252fa50, cbMultiByte=4, lpWideCharStr=0x252f818, cchWideChar=4 | out: lpWideCharStr="Name") returned 4 [0097.935] IWbemClassObject:Get (in: This=0x2be590, wszName="Name", lFlags=0, pVal=0x252f9a0*(varType=0x0, wReserved1=0x29, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x252f9a0*(varType=0x8, wReserved1=0x29, wReserved2=0x0, wReserved3=0x0, varVal1="Q9IATRKPRH", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0098.144] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x29bd40 [0098.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Q9IATRKPRH", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0098.165] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Q9IATRKPRH", cchWideChar=10, lpMultiByteStr=0x252f838, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Q9IATRKPRH", lpUsedDefaultChar=0x0) returned 10 [0098.333] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x29bd40 | out: hHeap=0x250000) returned 1 [0098.333] IUnknown:Release (This=0x2be590) returned 0x0 [0098.334] WbemLocator:IUnknown:Release (This=0x2b2290) returned 0x0 [0098.564] WbemLocator:IUnknown:Release (This=0x2859f0) returned 0x0 [0098.564] IUnknown:Release (This=0x2ba780) returned 0x0 [0098.584] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2984c0 | out: hHeap=0x250000) returned 1 [0098.801] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x30) returned 0x2984c0 [0098.802] CoCreateInstance (rclsid=0x1e457e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1e457f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x252f8f0) [0098.802] CoCreateInstance (in: rclsid=0x1e457e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1e457f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x252f8f0 | out: ppv=0x252f8f0*=0x285d70) returned 0x0 [0098.802] WbemLocator:IWbemLocator:ConnectServer (in: This=0x285d70, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x252f8e8 | out: ppNamespace=0x252f8e8*=0x2b2290) returned 0x0 [0099.352] CoSetProxyBlanket (pProxy=0x2b2290, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0099.352] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x18) returned 0x2859f0 [0099.352] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2984c0, cbMultiByte=42, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 42 [0099.352] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2984c0, cbMultiByte=42, lpWideCharStr=0x252f7d0, cchWideChar=42 | out: lpWideCharStr="SELECT * FROM Win32_ComputerSystemProduct") returned 42 [0099.352] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x18) returned 0x2bde10 [0099.352] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e5b258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0099.353] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e5b258, cbMultiByte=4, lpWideCharStr=0x252f820, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0099.353] IWbemServices:ExecQuery (in: This=0x2b2290, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystemProduct", lFlags=48, pCtx=0x0, ppEnum=0x252f8f8 | out: ppEnum=0x252f8f8*=0x2ba780) returned 0x0 [0099.355] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2bde10 | out: hHeap=0x250000) returned 1 [0099.355] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2859f0 | out: hHeap=0x250000) returned 1 [0099.355] IEnumWbemClassObject:Next (in: This=0x2ba780, lTimeout=-1, uCount=0x1, apObjects=0x252f900, puReturned=0x252fa18 | out: apObjects=0x252f900*=0x2bed00, puReturned=0x252fa18*=0x1) returned 0x0 [0100.335] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x252fa50, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0100.335] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x252fa50, cbMultiByte=4, lpWideCharStr=0x252f818, cchWideChar=4 | out: lpWideCharStr="UUID") returned 4 [0100.335] IWbemClassObject:Get (in: This=0x2bed00, wszName="UUID", lFlags=0, pVal=0x252f9a0*(varType=0x0, wReserved1=0x29, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x252f9a0*(varType=0x8, wReserved1=0x29, wReserved2=0x0, wReserved3=0x0, varVal1="4C4C4544-0050-3710-8058-CAC04F59344A", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0100.335] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x50) returned 0x297ba0 [0100.335] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4C4C4544-0050-3710-8058-CAC04F59344A", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0100.335] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x30) returned 0x2ade00 [0100.335] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4C4C4544-0050-3710-8058-CAC04F59344A", cchWideChar=36, lpMultiByteStr=0x2ade00, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="4C4C4544-0050-3710-8058-CAC04F59344A", lpUsedDefaultChar=0x0) returned 36 [0100.335] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x297ba0 | out: hHeap=0x250000) returned 1 [0100.336] IUnknown:Release (This=0x2bed00) returned 0x0 [0100.336] WbemLocator:IUnknown:Release (This=0x2b2290) returned 0x0 [0100.337] WbemLocator:IUnknown:Release (This=0x285d70) returned 0x0 [0100.337] IUnknown:Release (This=0x2ba780) returned 0x0 [0100.344] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2984c0 | out: hHeap=0x250000) returned 1 [0100.344] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x30) returned 0x2984c0 [0100.385] GetLastError () returned 0x0 [0100.385] SetLastError (dwErrCode=0x0) [0102.803] GetLastError () returned 0x0 [0103.148] SetLastError (dwErrCode=0x0) [0103.647] GetLastError () returned 0x0 [0103.647] SetLastError (dwErrCode=0x0) [0103.647] GetLastError () returned 0x0 [0103.647] SetLastError (dwErrCode=0x0) [0103.647] GetLastError () returned 0x0 [0103.647] SetLastError (dwErrCode=0x0) [0103.647] GetLastError () returned 0x0 [0103.647] SetLastError (dwErrCode=0x0) [0103.647] GetLastError () returned 0x0 [0103.647] SetLastError (dwErrCode=0x0) [0103.647] GetLastError () returned 0x0 [0103.647] SetLastError (dwErrCode=0x0) [0103.647] GetLastError () returned 0x0 [0103.647] SetLastError (dwErrCode=0x0) [0103.647] GetLastError () returned 0x0 [0103.647] SetLastError (dwErrCode=0x0) [0103.647] GetLastError () returned 0x0 [0103.647] SetLastError (dwErrCode=0x0) [0103.647] GetLastError () returned 0x0 [0103.647] SetLastError (dwErrCode=0x0) [0103.647] GetLastError () returned 0x0 [0103.648] SetLastError (dwErrCode=0x0) [0103.648] GetLastError () returned 0x0 [0103.648] SetLastError (dwErrCode=0x0) [0103.648] GetLastError () returned 0x0 [0103.648] SetLastError (dwErrCode=0x0) [0103.648] GetLastError () returned 0x0 [0103.648] SetLastError (dwErrCode=0x0) [0104.139] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x30) returned 0x2addc0 [0104.593] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2addc0, cbMultiByte=32, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 32 [0105.189] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x50) returned 0x2978a0 [0105.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2addc0, cbMultiByte=32, lpWideCharStr=0x2978a0, cchWideChar=32 | out: lpWideCharStr="aa360b8ffe2aca5f0f5c1f9ffd6f6a58") returned 32 [0105.224] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="aa360b8ffe2aca5f0f5c1f9ffd6f6a58") returned 0x180 [0105.224] GetLastError () returned 0xb7 [0105.225] CloseHandle (hObject=0x180) returned 1 [0105.225] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2978a0 | out: hHeap=0x250000) returned 1 [0105.225] CoUninitialize () [0106.139] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2addc0 | out: hHeap=0x250000) returned 1 [0106.139] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2984c0 | out: hHeap=0x250000) returned 1 [0106.140] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2ade00 | out: hHeap=0x250000) returned 1 [0106.478] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x28ba70 | out: hHeap=0x250000) returned 1 [0106.478] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x27bf60 | out: hHeap=0x250000) returned 1 [0106.492] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x27bee0 | out: hHeap=0x250000) returned 1 [0106.509] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x287c70 | out: hHeap=0x250000) returned 1 Thread: id = 129 os_tid = 0xb68 Thread: id = 135 os_tid = 0xf04 [0094.659] GetLastError () returned 0x57 [0094.659] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x78) returned 0x27bfe0 [0094.659] SetLastError (dwErrCode=0x57) [0094.672] GetLastError () returned 0x57 [0095.355] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3c8) returned 0x2a0d90 [0095.380] SetLastError (dwErrCode=0x57) Thread: id = 137 os_tid = 0xb94 [0096.832] GetLastError () returned 0x57 [0096.832] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x78) returned 0x27c0e0 [0096.832] SetLastError (dwErrCode=0x57) [0096.832] GetLastError () returned 0x57 [0096.832] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3c8) returned 0x2b9140 [0096.832] SetLastError (dwErrCode=0x57) Thread: id = 138 os_tid = 0xdec [0096.833] GetLastError () returned 0x57 [0096.833] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x78) returned 0x27c1e0 [0096.833] SetLastError (dwErrCode=0x57) [0096.833] GetLastError () returned 0x57 [0096.833] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3c8) returned 0x2b9930 [0096.833] SetLastError (dwErrCode=0x57) Process: id = "8" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x45edc000" os_pid = "0xb90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"0\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 615 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 616 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 617 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 618 start_va = 0x170000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 619 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 620 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 621 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 622 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 623 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 624 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 625 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 626 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 627 start_va = 0x270000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 628 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 629 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 630 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 631 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 632 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 633 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 634 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 635 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 636 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 637 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 638 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 639 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 640 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 641 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 642 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 645 start_va = 0x270000 end_va = 0x37ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 646 start_va = 0x3c0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 647 start_va = 0x270000 end_va = 0x36ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 648 start_va = 0x370000 end_va = 0x37ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 649 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 650 start_va = 0x4c0000 end_va = 0x647fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 651 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 652 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 653 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 654 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 655 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 656 start_va = 0x650000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 657 start_va = 0x7e0000 end_va = 0x1bdffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 699 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 700 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 701 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 705 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 710 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Thread: id = 18 os_tid = 0xbd8 [0050.595] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f8d8 | out: lpSystemTimeAsFileTime=0x26f8d8*(dwLowDateTime=0x18663fa0, dwHighDateTime=0x1d937fd)) [0050.595] GetCurrentThreadId () returned 0xbd8 [0050.595] GetCurrentProcessId () returned 0xb90 [0050.595] QueryPerformanceCounter (in: lpPerformanceCount=0x26f8e0 | out: lpPerformanceCount=0x26f8e0*=3317511212859) returned 1 [0050.595] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0050.597] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0050.597] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0050.598] GetLastError () returned 0x7e [0050.598] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0050.598] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0050.598] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0050.599] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0050.599] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0050.599] GetProcessHeap () returned 0x3c0000 [0050.599] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0050.600] GetLastError () returned 0x7e [0050.600] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0050.600] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0050.600] GetLastError () returned 0x7e [0050.600] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0050.600] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0050.600] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3c8) returned 0x3dcfa0 [0050.600] SetLastError (dwErrCode=0x7e) [0050.600] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1200) returned 0x3dd370 [0050.602] GetStartupInfoW (in: lpStartupInfo=0x26f7b0 | out: lpStartupInfo=0x26f7b0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x26f838, hStdError=0x1)) [0050.602] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0050.602] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0050.602] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0050.602] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"0\"" [0050.602] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"0\"" [0050.602] GetACP () returned 0x4e4 [0050.602] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x228) returned 0x3dab80 [0050.602] IsValidCodePage (CodePage=0x4e4) returned 1 [0050.602] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x26f770 | out: lpCPInfo=0x26f770) returned 1 [0050.603] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x26f010 | out: lpCPInfo=0x26f010) returned 1 [0050.603] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f030, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0050.603] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f030, cbMultiByte=256, lpWideCharStr=0x26ed60, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0050.603] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x26f330 | out: lpCharType=0x26f330) returned 1 [0050.603] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f030, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0050.603] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f030, cbMultiByte=256, lpWideCharStr=0x26ed00, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0050.603] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0050.603] GetLastError () returned 0x7e [0050.603] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0050.603] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0050.604] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x26eaf0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0050.604] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x26f130, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x80«=", lpUsedDefaultChar=0x0) returned 256 [0050.604] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f030, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0050.604] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f030, cbMultiByte=256, lpWideCharStr=0x26ed00, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0050.604] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0050.604] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x26eaf0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0050.604] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x26f230, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0050.604] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x100) returned 0x3df580 [0050.604] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0050.604] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x17e) returned 0x3df690 [0050.604] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0050.604] GetLastError () returned 0x0 [0050.604] SetLastError (dwErrCode=0x0) [0050.604] GetEnvironmentStringsW () returned 0x3df820* [0050.604] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0xb32) returned 0x3e0360 [0050.604] FreeEnvironmentStringsW (penv=0x3df820) returned 1 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x128) returned 0x3e0ea0 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3e) returned 0x3dafd0 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x56) returned 0x3dadb0 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x62) returned 0x3df820 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x78) returned 0x3df890 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x62) returned 0x3df910 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x30) returned 0x3de8f0 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x48) returned 0x3db020 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x28) returned 0x3d7990 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1a) returned 0x3d79c0 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x34) returned 0x3de930 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x5c) returned 0x3df980 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x32) returned 0x3de970 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x2e) returned 0x3de9b0 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1c) returned 0x3d79f0 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x19c) returned 0x3df9f0 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x7c) returned 0x3dfba0 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3a) returned 0x3db070 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x90) returned 0x3dfc30 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x24) returned 0x3d7a20 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x30) returned 0x3de9f0 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x36) returned 0x3dea30 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3c) returned 0x3db0c0 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x52) returned 0x3dfcd0 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3c) returned 0x3db110 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xd6) returned 0x3dfd30 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x2e) returned 0x3dea70 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1e) returned 0x3d7a50 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x2c) returned 0x3deab0 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x54) returned 0x3dfe10 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x52) returned 0x3dfe70 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x2c) returned 0x3deaf0 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x26) returned 0x3d7a80 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3e) returned 0x3db160 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x24) returned 0x3d7ab0 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x30) returned 0x3deb30 [0050.605] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x8c) returned 0x3dfed0 [0050.606] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3e0360 | out: hHeap=0x3c0000) returned 1 [0050.606] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1000) returned 0x3e0fd0 [0050.607] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0050.607] GetStartupInfoW (in: lpStartupInfo=0x26f840 | out: lpStartupInfo=0x26f840*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0050.607] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"0\"" [0050.607] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"0\"", pNumArgs=0x26f810 | out: pNumArgs=0x26f810) returned 0x3e03f0*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0050.607] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0050.622] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x1000) returned 0x3e40c0 [0050.717] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x12) returned 0x3e0e10 [0050.717] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="FPH732n7", cchWideChar=-1, lpMultiByteStr=0x3e0e10, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FPH732n7", lpUsedDefaultChar=0x0) returned 9 [0050.717] GetLastError () returned 0x0 [0050.717] SetLastError (dwErrCode=0x0) [0050.718] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7W") returned 0x0 [0050.718] GetLastError () returned 0x7f [0050.718] SetLastError (dwErrCode=0x7f) [0050.718] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7A") returned 0x0 [0050.718] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7") returned 0x7fef2eb1cf0 [0050.718] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x4) returned 0x3e0e30 [0050.718] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x3e0e30, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0050.718] GetActiveWindow () returned 0x0 [0050.967] GetLastError () returned 0x7f [0050.967] SetLastError (dwErrCode=0x7f) Process: id = "9" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x439ef000" os_pid = "0xbdc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"0\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 658 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 659 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 660 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 661 start_va = 0x190000 end_va = 0x28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 662 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 663 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 664 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 665 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 666 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 667 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 668 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 669 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 670 start_va = 0x50000 end_va = 0x15ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 671 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 672 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 673 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 674 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 675 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 676 start_va = 0x290000 end_va = 0x2f6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 677 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 678 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 679 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 680 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 681 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 682 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 683 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 684 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 685 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 686 start_va = 0x300000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 687 start_va = 0x300000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 688 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 689 start_va = 0x160000 end_va = 0x188fff monitored = 0 entry_point = 0x161010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 690 start_va = 0x470000 end_va = 0x5f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 691 start_va = 0x160000 end_va = 0x188fff monitored = 0 entry_point = 0x161010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 692 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 693 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 694 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 695 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 696 start_va = 0x60000 end_va = 0x15ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 697 start_va = 0x600000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 698 start_va = 0x790000 end_va = 0x1b8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 702 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 703 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 704 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 706 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 709 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 945 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 946 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Thread: id = 20 os_tid = 0xb98 [0050.850] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fb18 | out: lpSystemTimeAsFileTime=0x28fb18*(dwLowDateTime=0x188c55a0, dwHighDateTime=0x1d937fd)) [0050.850] GetCurrentThreadId () returned 0xb98 [0050.850] GetCurrentProcessId () returned 0xbdc [0050.850] QueryPerformanceCounter (in: lpPerformanceCount=0x28fb20 | out: lpPerformanceCount=0x28fb20*=3317536707270) returned 1 [0050.850] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0050.853] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0050.853] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0050.853] GetLastError () returned 0x7e [0050.853] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0050.854] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0050.854] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0050.855] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0050.855] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0050.855] GetProcessHeap () returned 0x60000 [0050.855] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0050.856] GetLastError () returned 0x7e [0050.856] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0050.856] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0050.856] GetLastError () returned 0x7e [0050.856] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0050.856] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0050.856] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x3c8) returned 0x7cfa0 [0050.857] SetLastError (dwErrCode=0x7e) [0050.857] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x1200) returned 0x7d370 [0050.859] GetStartupInfoW (in: lpStartupInfo=0x28f9f0 | out: lpStartupInfo=0x28f9f0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x28fa78, hStdError=0x1)) [0050.859] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0050.859] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0050.859] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0050.859] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"0\"" [0050.859] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"0\"" [0050.859] GetACP () returned 0x4e4 [0050.859] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x0, Size=0x228) returned 0x7ab80 [0050.859] IsValidCodePage (CodePage=0x4e4) returned 1 [0050.859] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x28f9b0 | out: lpCPInfo=0x28f9b0) returned 1 [0050.860] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x28f250 | out: lpCPInfo=0x28f250) returned 1 [0050.860] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f270, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0050.860] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f270, cbMultiByte=256, lpWideCharStr=0x28efa0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0050.860] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x28f570 | out: lpCharType=0x28f570) returned 1 [0050.860] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f270, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0050.860] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f270, cbMultiByte=256, lpWideCharStr=0x28ef40, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0050.860] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0050.860] GetLastError () returned 0x7e [0050.860] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0050.860] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0050.861] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x28ed30, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0050.861] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x28f370, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x80«\x07", lpUsedDefaultChar=0x0) returned 256 [0050.861] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f270, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0050.861] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f270, cbMultiByte=256, lpWideCharStr=0x28ef40, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0050.861] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0050.861] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x28ed30, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0050.861] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x28f470, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0050.861] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x0, Size=0x100) returned 0x7f580 [0050.861] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0050.861] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x17e) returned 0x7f690 [0050.861] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0050.862] GetLastError () returned 0x0 [0050.862] SetLastError (dwErrCode=0x0) [0050.862] GetEnvironmentStringsW () returned 0x7f820* [0050.862] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x0, Size=0xb32) returned 0x80360 [0050.862] FreeEnvironmentStringsW (penv=0x7f820) returned 1 [0050.862] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x128) returned 0x80ea0 [0050.862] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x3e) returned 0x7afd0 [0050.862] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x56) returned 0x7adb0 [0050.862] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x62) returned 0x7f820 [0050.862] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x78) returned 0x7f890 [0050.862] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x62) returned 0x7f910 [0050.862] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x30) returned 0x7e8f0 [0050.862] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x48) returned 0x7b020 [0050.862] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x28) returned 0x77990 [0050.862] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x1a) returned 0x779c0 [0050.862] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x34) returned 0x7e930 [0050.862] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x5c) returned 0x7f980 [0050.862] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x32) returned 0x7e970 [0050.862] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x2e) returned 0x7e9b0 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x1c) returned 0x779f0 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x19c) returned 0x7f9f0 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x7c) returned 0x7fba0 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x3a) returned 0x7b070 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x90) returned 0x7fc30 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x24) returned 0x77a20 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x30) returned 0x7e9f0 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x36) returned 0x7ea30 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x3c) returned 0x7b0c0 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x52) returned 0x7fcd0 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x3c) returned 0x7b110 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0xd6) returned 0x7fd30 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x2e) returned 0x7ea70 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x1e) returned 0x77a50 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x2c) returned 0x7eab0 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x54) returned 0x7fe10 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x52) returned 0x7fe70 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x2c) returned 0x7eaf0 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x26) returned 0x77a80 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x3e) returned 0x7b160 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x24) returned 0x77ab0 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x30) returned 0x7eb30 [0050.863] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x8c) returned 0x7fed0 [0050.864] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x80360 | out: hHeap=0x60000) returned 1 [0050.864] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x1000) returned 0x80fd0 [0050.864] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0050.864] GetStartupInfoW (in: lpStartupInfo=0x28fa80 | out: lpStartupInfo=0x28fa80*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0050.865] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"0\"" [0050.865] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"0\"", pNumArgs=0x28fa50 | out: pNumArgs=0x28fa50) returned 0x803f0*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0050.865] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0050.871] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x0, Size=0x1000) returned 0x840c0 [0050.871] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x0, Size=0x12) returned 0x80e10 [0050.871] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="KlXWgB9j", cchWideChar=-1, lpMultiByteStr=0x80e10, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="KlXWgB9j", lpUsedDefaultChar=0x0) returned 9 [0050.871] GetLastError () returned 0x0 [0050.871] SetLastError (dwErrCode=0x0) [0050.871] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9jW") returned 0x0 [0050.871] GetLastError () returned 0x7f [0050.872] SetLastError (dwErrCode=0x7f) [0050.872] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9jA") returned 0x0 [0050.872] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9j") returned 0x7fef2eb0010 [0050.872] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x0, Size=0x4) returned 0x80e30 [0050.872] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x80e30, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0050.872] GetActiveWindow () returned 0x0 [0051.077] GetLastError () returned 0x7f [0051.077] SetLastError (dwErrCode=0x7f) Process: id = "10" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x43702000" os_pid = "0xbf0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"0\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 715 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 716 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 717 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 718 start_va = 0x1d0000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 719 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 720 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 721 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 722 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 723 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 724 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 725 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 726 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 727 start_va = 0x2d0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 728 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 729 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 730 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 731 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 732 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 733 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 734 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 735 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 736 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 737 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 738 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 739 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 740 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 741 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 742 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 743 start_va = 0x4c0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 744 start_va = 0xc0000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 746 start_va = 0x2d0000 end_va = 0x2f8fff monitored = 0 entry_point = 0x2d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 747 start_va = 0x3c0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 748 start_va = 0x5e0000 end_va = 0x767fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 749 start_va = 0x2d0000 end_va = 0x2f8fff monitored = 0 entry_point = 0x2d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 750 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 751 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 798 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 799 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 800 start_va = 0x770000 end_va = 0x8f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 801 start_va = 0x900000 end_va = 0x1cfffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 802 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 803 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 804 start_va = 0x2d0000 end_va = 0x2d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 807 start_va = 0x2e0000 end_va = 0x2e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 808 start_va = 0x2f0000 end_va = 0x2f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Thread: id = 22 os_tid = 0xbf4 [0052.407] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf778 | out: lpSystemTimeAsFileTime=0x2cf778*(dwLowDateTime=0x197a5f20, dwHighDateTime=0x1d937fd)) [0052.407] GetCurrentThreadId () returned 0xbf4 [0052.407] GetCurrentProcessId () returned 0xbf0 [0052.407] QueryPerformanceCounter (in: lpPerformanceCount=0x2cf780 | out: lpPerformanceCount=0x2cf780*=3317692461532) returned 1 [0052.408] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0052.410] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0052.410] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0052.411] GetLastError () returned 0x7e [0052.411] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0052.411] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0052.411] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0052.412] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0052.412] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0052.412] GetProcessHeap () returned 0x3c0000 [0052.412] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0052.412] GetLastError () returned 0x7e [0052.412] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0052.413] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0052.413] GetLastError () returned 0x7e [0052.413] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0052.413] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0052.413] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3c8) returned 0x3dcf90 [0052.413] SetLastError (dwErrCode=0x7e) [0052.413] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1200) returned 0x3dd360 [0052.415] GetStartupInfoW (in: lpStartupInfo=0x2cf650 | out: lpStartupInfo=0x2cf650*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x2cf6d8, hStdError=0x1)) [0052.415] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0052.415] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0052.415] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0052.415] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"0\"" [0052.415] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"0\"" [0052.415] GetACP () returned 0x4e4 [0052.415] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x228) returned 0x3dab70 [0052.415] IsValidCodePage (CodePage=0x4e4) returned 1 [0052.415] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2cf610 | out: lpCPInfo=0x2cf610) returned 1 [0052.415] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2ceeb0 | out: lpCPInfo=0x2ceeb0) returned 1 [0052.416] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ceed0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0052.416] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ceed0, cbMultiByte=256, lpWideCharStr=0x2cec00, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0052.416] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x2cf1d0 | out: lpCharType=0x2cf1d0) returned 1 [0052.416] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ceed0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0052.416] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ceed0, cbMultiByte=256, lpWideCharStr=0x2ceba0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0052.416] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0052.416] GetLastError () returned 0x7e [0052.416] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0052.416] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0052.417] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2ce990, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0052.417] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x2cefd0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿp«=", lpUsedDefaultChar=0x0) returned 256 [0052.417] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ceed0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0052.417] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ceed0, cbMultiByte=256, lpWideCharStr=0x2ceba0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0052.417] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0052.417] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2ce990, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0052.417] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x2cf0d0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0052.417] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x100) returned 0x3df570 [0052.417] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0052.417] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x17c) returned 0x3df680 [0052.417] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0052.417] GetLastError () returned 0x0 [0052.417] SetLastError (dwErrCode=0x0) [0052.417] GetEnvironmentStringsW () returned 0x3df810* [0052.417] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0xb32) returned 0x3e0350 [0052.417] FreeEnvironmentStringsW (penv=0x3df810) returned 1 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x128) returned 0x3e0e90 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3e) returned 0x3dafc0 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x56) returned 0x3dada0 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x62) returned 0x3df810 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x78) returned 0x3df880 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x62) returned 0x3df900 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x30) returned 0x3de8e0 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x48) returned 0x3db010 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x28) returned 0x3d7970 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1a) returned 0x3d79a0 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x34) returned 0x3de920 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x5c) returned 0x3df970 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x32) returned 0x3de960 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x2e) returned 0x3de9a0 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1c) returned 0x3d79d0 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x19c) returned 0x3df9e0 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x7c) returned 0x3dfb90 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3a) returned 0x3db060 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x90) returned 0x3dfc20 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x24) returned 0x3d7a00 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x30) returned 0x3de9e0 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x36) returned 0x3dea20 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3c) returned 0x3db0b0 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x52) returned 0x3dfcc0 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3c) returned 0x3db100 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xd6) returned 0x3dfd20 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x2e) returned 0x3dea60 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1e) returned 0x3d7a30 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x2c) returned 0x3deaa0 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x54) returned 0x3dfe00 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x52) returned 0x3dfe60 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x2c) returned 0x3deae0 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x26) returned 0x3d7a60 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3e) returned 0x3db150 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x24) returned 0x3d7a90 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x30) returned 0x3deb20 [0052.418] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x8c) returned 0x3dfec0 [0052.419] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3e0350 | out: hHeap=0x3c0000) returned 1 [0052.419] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1000) returned 0x3e0fd0 [0052.419] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0052.420] GetStartupInfoW (in: lpStartupInfo=0x2cf6e0 | out: lpStartupInfo=0x2cf6e0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0052.420] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"0\"" [0052.420] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"0\"", pNumArgs=0x2cf6b0 | out: pNumArgs=0x2cf6b0) returned 0x3e03e0*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0052.420] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0052.424] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x1000) returned 0x3e40c0 [0052.424] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x10) returned 0x3e0e00 [0052.424] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="LKKIJ77", cchWideChar=-1, lpMultiByteStr=0x3e0e00, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LKKIJ77", lpUsedDefaultChar=0x0) returned 8 [0052.425] GetLastError () returned 0x0 [0052.425] SetLastError (dwErrCode=0x0) [0052.425] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77W") returned 0x0 [0052.425] GetLastError () returned 0x7f [0052.425] SetLastError (dwErrCode=0x7f) [0052.425] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77A") returned 0x0 [0052.425] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77") returned 0x7fef2ea6420 [0052.425] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x4) returned 0x3e0e20 [0052.425] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x3e0e20, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0052.425] GetActiveWindow () returned 0x0 [0052.648] GetLastError () returned 0x7f [0052.648] SetLastError (dwErrCode=0x7f) Process: id = "11" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x43310000" os_pid = "0x740" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"0\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 752 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 753 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 754 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 755 start_va = 0x1d0000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 756 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 757 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 758 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 759 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 760 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 761 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 762 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 763 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 764 start_va = 0x2d0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 765 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 766 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 767 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 768 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 769 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 770 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 771 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 772 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 773 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 774 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 775 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 776 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 777 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 778 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 779 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 780 start_va = 0xc0000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 781 start_va = 0x2d0000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 782 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 783 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 784 start_va = 0x120000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 785 start_va = 0x500000 end_va = 0x687fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 786 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 787 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 788 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 789 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 790 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 791 start_va = 0x690000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 792 start_va = 0x820000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 793 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 794 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 795 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 796 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 797 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Thread: id = 24 os_tid = 0x300 [0051.861] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfa58 | out: lpSystemTimeAsFileTime=0x2cfa58*(dwLowDateTime=0x19270f00, dwHighDateTime=0x1d937fd)) [0051.862] GetCurrentThreadId () returned 0x300 [0051.862] GetCurrentProcessId () returned 0x740 [0051.862] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfa60 | out: lpPerformanceCount=0x2cfa60*=3317637876597) returned 1 [0051.862] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0051.864] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0051.864] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0051.864] GetLastError () returned 0x7e [0051.864] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0051.865] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0051.865] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0051.866] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0051.866] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0051.866] GetProcessHeap () returned 0x400000 [0051.866] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0051.866] GetLastError () returned 0x7e [0051.866] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0051.867] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0051.867] GetLastError () returned 0x7e [0051.867] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0051.867] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0051.867] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x3c8) returned 0x41cfa0 [0051.867] SetLastError (dwErrCode=0x7e) [0051.867] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x1200) returned 0x41d370 [0051.869] GetStartupInfoW (in: lpStartupInfo=0x2cf930 | out: lpStartupInfo=0x2cf930*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x2cf9b8, hStdError=0x1)) [0051.869] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0051.869] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0051.869] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0051.869] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"0\"" [0051.869] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"0\"" [0051.869] GetACP () returned 0x4e4 [0051.870] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x0, Size=0x228) returned 0x41ab80 [0051.870] IsValidCodePage (CodePage=0x4e4) returned 1 [0051.870] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2cf8f0 | out: lpCPInfo=0x2cf8f0) returned 1 [0051.870] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2cf190 | out: lpCPInfo=0x2cf190) returned 1 [0051.870] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf1b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0051.870] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf1b0, cbMultiByte=256, lpWideCharStr=0x2ceee0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0051.870] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x2cf4b0 | out: lpCharType=0x2cf4b0) returned 1 [0051.870] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf1b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0051.870] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf1b0, cbMultiByte=256, lpWideCharStr=0x2cee80, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0051.870] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0051.871] GetLastError () returned 0x7e [0051.871] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0051.871] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0051.871] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2cec70, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0051.871] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x2cf2b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x80«A", lpUsedDefaultChar=0x0) returned 256 [0051.871] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf1b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0051.871] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf1b0, cbMultiByte=256, lpWideCharStr=0x2cee80, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0051.871] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0051.871] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2cec70, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0051.871] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x2cf3b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0051.871] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x0, Size=0x100) returned 0x41f580 [0051.872] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x182) returned 0x41f690 [0051.872] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0051.872] GetLastError () returned 0x0 [0051.872] SetLastError (dwErrCode=0x0) [0051.872] GetEnvironmentStringsW () returned 0x41f820* [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x0, Size=0xb32) returned 0x420360 [0051.872] FreeEnvironmentStringsW (penv=0x41f820) returned 1 [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x128) returned 0x420ea0 [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x3e) returned 0x41afd0 [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x56) returned 0x41adb0 [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x62) returned 0x41f820 [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x78) returned 0x41f890 [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x62) returned 0x41f910 [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x30) returned 0x41e8f0 [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x48) returned 0x41b020 [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x28) returned 0x417990 [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x1a) returned 0x4179c0 [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x34) returned 0x41e930 [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x5c) returned 0x41f980 [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x32) returned 0x41e970 [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x2e) returned 0x41e9b0 [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x1c) returned 0x4179f0 [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x19c) returned 0x41f9f0 [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x7c) returned 0x41fba0 [0051.872] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x3a) returned 0x41b070 [0051.873] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x90) returned 0x41fc30 [0051.873] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x24) returned 0x417a20 [0051.873] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x30) returned 0x41e9f0 [0051.873] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x36) returned 0x41ea30 [0051.873] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x3c) returned 0x41b0c0 [0051.873] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x52) returned 0x41fcd0 [0051.873] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x3c) returned 0x41b110 [0051.873] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xd6) returned 0x41fd30 [0051.873] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x2e) returned 0x41ea70 [0051.873] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x1e) returned 0x417a50 [0051.873] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x2c) returned 0x41eab0 [0051.873] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x54) returned 0x41fe10 [0051.873] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x52) returned 0x41fe70 [0051.873] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x2c) returned 0x41eaf0 [0051.873] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x26) returned 0x417a80 [0051.873] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x3e) returned 0x41b160 [0051.873] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x24) returned 0x417ab0 [0051.873] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x30) returned 0x41eb30 [0051.873] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x8c) returned 0x41fed0 [0051.874] HeapFree (in: hHeap=0x400000, dwFlags=0x0, lpMem=0x420360 | out: hHeap=0x400000) returned 1 [0051.874] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x1000) returned 0x420fd0 [0051.874] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0051.874] GetStartupInfoW (in: lpStartupInfo=0x2cf9c0 | out: lpStartupInfo=0x2cf9c0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0051.874] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"0\"" [0051.874] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"0\"", pNumArgs=0x2cf990 | out: pNumArgs=0x2cf990) returned 0x4203f0*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0051.874] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0051.879] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x0, Size=0x1000) returned 0x4240c0 [0051.879] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x0, Size=0x16) returned 0x420e10 [0051.879] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="MMlFUh3Tzt", cchWideChar=-1, lpMultiByteStr=0x420e10, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MMlFUh3Tzt", lpUsedDefaultChar=0x0) returned 11 [0051.879] GetLastError () returned 0x0 [0051.879] SetLastError (dwErrCode=0x0) [0051.880] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3TztW") returned 0x0 [0051.880] GetLastError () returned 0x7f [0051.880] SetLastError (dwErrCode=0x7f) [0051.880] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3TztA") returned 0x0 [0051.880] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3Tzt") returned 0x7fef2eb0cf0 [0051.880] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x0, Size=0x4) returned 0x420e30 [0051.880] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="0", cchWideChar=-1, lpMultiByteStr=0x420e30, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="0", lpUsedDefaultChar=0x0) returned 2 [0051.880] GetActiveWindow () returned 0x0 [0051.880] GetLastError () returned 0x7f [0051.880] SetLastError (dwErrCode=0x7f) Process: id = "12" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x44025000" os_pid = "0x32c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"1\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 809 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 810 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 811 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 812 start_va = 0xd0000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 813 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 814 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 815 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 816 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 817 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 818 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 819 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 820 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 821 start_va = 0x1d0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 822 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 823 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 824 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 825 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 826 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 827 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 828 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 829 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 830 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 831 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 832 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 833 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 834 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 835 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 836 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 837 start_va = 0x400000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 838 start_va = 0x1d0000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 839 start_va = 0x300000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 840 start_va = 0x2d0000 end_va = 0x2f8fff monitored = 0 entry_point = 0x2d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 841 start_va = 0x540000 end_va = 0x6c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 842 start_va = 0x2d0000 end_va = 0x2f8fff monitored = 0 entry_point = 0x2d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 843 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 844 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 845 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 846 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 847 start_va = 0x6d0000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 848 start_va = 0x860000 end_va = 0x1c5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 849 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 850 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 851 start_va = 0x2d0000 end_va = 0x2d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 1578 start_va = 0x400000 end_va = 0x47dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1579 start_va = 0x530000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 1580 start_va = 0x1c60000 end_va = 0x1db7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c60000" filename = "" Region: id = 1625 start_va = 0x1dc0000 end_va = 0x1f20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001dc0000" filename = "" Region: id = 1629 start_va = 0x7fefd2c0000 end_va = 0x7fefd42cfff monitored = 0 entry_point = 0x7fefd2c10b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1630 start_va = 0x7fefd270000 end_va = 0x7fefd27efff monitored = 0 entry_point = 0x7fefd271020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1631 start_va = 0x7fefd060000 end_va = 0x7fefd06afff monitored = 0 entry_point = 0x7fefd061030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1632 start_va = 0x7fefd090000 end_va = 0x7fefd0b4fff monitored = 0 entry_point = 0x7fefd099658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1633 start_va = 0x7feff060000 end_va = 0x7feff13afff monitored = 0 entry_point = 0x7feff080760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1634 start_va = 0x7feff1e0000 end_va = 0x7feff1fefff monitored = 0 entry_point = 0x7feff1e60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1635 start_va = 0x7feff2d0000 end_va = 0x7feff3a6fff monitored = 0 entry_point = 0x7feff2d3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1636 start_va = 0x7fefabb0000 end_va = 0x7fefabc7fff monitored = 0 entry_point = 0x7fefabb1010 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1637 start_va = 0x7fefacc0000 end_va = 0x7feface6fff monitored = 0 entry_point = 0x7fefacc98bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1638 start_va = 0x7fefed70000 end_va = 0x7fefed77fff monitored = 0 entry_point = 0x7fefed71504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1639 start_va = 0x7fefacb0000 end_va = 0x7fefacbafff monitored = 0 entry_point = 0x7fefacb1198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1640 start_va = 0x7fefb550000 end_va = 0x7fefb560fff monitored = 0 entry_point = 0x7fefb551070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1641 start_va = 0x7feff280000 end_va = 0x7feff2ccfff monitored = 0 entry_point = 0x7feff281070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1642 start_va = 0x1f30000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f30000" filename = "" Region: id = 1702 start_va = 0x2100000 end_va = 0x23cefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1705 start_va = 0x23d0000 end_va = 0x24cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023d0000" filename = "" Region: id = 1706 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2394 start_va = 0x480000 end_va = 0x4fcfff monitored = 0 entry_point = 0x48cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2395 start_va = 0x480000 end_va = 0x4fcfff monitored = 0 entry_point = 0x48cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2396 start_va = 0x7fefd0c0000 end_va = 0x7fefd0cefff monitored = 0 entry_point = 0x7fefd0c1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2449 start_va = 0x25b0000 end_va = 0x26affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 2450 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2462 start_va = 0x2e0000 end_va = 0x2e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 2480 start_va = 0x7feff140000 end_va = 0x7feff1d8fff monitored = 0 entry_point = 0x7feff141c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2481 start_va = 0x2f0000 end_va = 0x2f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 2482 start_va = 0x7fef9520000 end_va = 0x7fef952dfff monitored = 0 entry_point = 0x7fef9525500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2483 start_va = 0x7fef97c0000 end_va = 0x7fef9836fff monitored = 0 entry_point = 0x7fef97fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 2484 start_va = 0x7fefcc30000 end_va = 0x7fefcc51fff monitored = 0 entry_point = 0x7fefcc35d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2485 start_va = 0x2830000 end_va = 0x292ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002830000" filename = "" Region: id = 2486 start_va = 0x7fefcac0000 end_va = 0x7fefcad7fff monitored = 0 entry_point = 0x7fefcac3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2487 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2488 start_va = 0x480000 end_va = 0x4c4fff monitored = 0 entry_point = 0x481064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2489 start_va = 0x480000 end_va = 0x4c4fff monitored = 0 entry_point = 0x481064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2490 start_va = 0x480000 end_va = 0x4c4fff monitored = 0 entry_point = 0x481064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2491 start_va = 0x480000 end_va = 0x4c4fff monitored = 0 entry_point = 0x481064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2492 start_va = 0x480000 end_va = 0x4c4fff monitored = 0 entry_point = 0x481064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2503 start_va = 0x7fefc7c0000 end_va = 0x7fefc806fff monitored = 0 entry_point = 0x7fefc7c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2504 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c3fff monitored = 0 entry_point = 0x7fefd1b10e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2512 start_va = 0x1f70000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 2513 start_va = 0x2080000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 2514 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2515 start_va = 0x2940000 end_va = 0x2a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 2516 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2519 start_va = 0x7fef9240000 end_va = 0x7fef9252fff monitored = 0 entry_point = 0x7fef9241d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2520 start_va = 0x7fef9560000 end_va = 0x7fef9632fff monitored = 0 entry_point = 0x7fef95d8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2521 start_va = 0x7fef9530000 end_va = 0x7fef9556fff monitored = 0 entry_point = 0x7fef95311a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 2562 start_va = 0x480000 end_va = 0x482fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Thread: id = 26 os_tid = 0x270 [0053.318] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf958 | out: lpSystemTimeAsFileTime=0x1cf958*(dwLowDateTime=0x1a046ee0, dwHighDateTime=0x1d937fd)) [0053.318] GetCurrentThreadId () returned 0x270 [0053.318] GetCurrentProcessId () returned 0x32c [0053.318] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf960 | out: lpPerformanceCount=0x1cf960*=3317783531605) returned 1 [0053.319] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0053.321] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0053.321] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0053.322] GetLastError () returned 0x7e [0053.322] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0053.322] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0053.322] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0053.323] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0053.323] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0053.324] GetProcessHeap () returned 0x300000 [0053.324] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0053.324] GetLastError () returned 0x7e [0053.324] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0053.324] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0053.324] GetLastError () returned 0x7e [0053.324] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0053.324] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0053.325] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c8) returned 0x31cfa0 [0053.325] SetLastError (dwErrCode=0x7e) [0053.325] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1200) returned 0x31d370 [0053.327] GetStartupInfoW (in: lpStartupInfo=0x1cf830 | out: lpStartupInfo=0x1cf830*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x1cf8b8, hStdError=0x1)) [0053.327] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0053.327] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0053.327] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0053.327] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"1\"" [0053.327] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"1\"" [0053.328] GetACP () returned 0x4e4 [0053.328] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x228) returned 0x31ab80 [0053.328] IsValidCodePage (CodePage=0x4e4) returned 1 [0053.328] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1cf7f0 | out: lpCPInfo=0x1cf7f0) returned 1 [0053.328] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1cf090 | out: lpCPInfo=0x1cf090) returned 1 [0053.328] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf0b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0053.328] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf0b0, cbMultiByte=256, lpWideCharStr=0x1cede0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0053.328] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x1cf3b0 | out: lpCharType=0x1cf3b0) returned 1 [0053.328] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf0b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0053.328] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf0b0, cbMultiByte=256, lpWideCharStr=0x1ced80, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0053.328] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0053.328] GetLastError () returned 0x7e [0053.328] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0053.329] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0053.329] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ceb70, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0053.329] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x1cf1b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x80«1", lpUsedDefaultChar=0x0) returned 256 [0053.329] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf0b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0053.329] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf0b0, cbMultiByte=256, lpWideCharStr=0x1ced80, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0053.329] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0053.329] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ceb70, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0053.329] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x1cf2b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0053.330] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x100) returned 0x31f580 [0053.330] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0053.330] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x182) returned 0x31f690 [0053.330] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0053.330] GetLastError () returned 0x0 [0053.330] SetLastError (dwErrCode=0x0) [0053.330] GetEnvironmentStringsW () returned 0x31f820* [0053.330] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xb32) returned 0x320360 [0053.330] FreeEnvironmentStringsW (penv=0x31f820) returned 1 [0053.330] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x128) returned 0x320ea0 [0053.330] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3e) returned 0x31afd0 [0053.330] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x56) returned 0x31adb0 [0053.330] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x62) returned 0x31f820 [0053.330] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x78) returned 0x31f890 [0053.330] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x62) returned 0x31f910 [0053.330] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x31e8f0 [0053.330] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x48) returned 0x31b020 [0053.330] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x28) returned 0x317990 [0053.330] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1a) returned 0x3179c0 [0053.330] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x34) returned 0x31e930 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x5c) returned 0x31f980 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x32) returned 0x31e970 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2e) returned 0x31e9b0 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1c) returned 0x3179f0 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x19c) returned 0x31f9f0 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x7c) returned 0x31fba0 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3a) returned 0x31b070 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x90) returned 0x31fc30 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x24) returned 0x317a20 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x31e9f0 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x36) returned 0x31ea30 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c) returned 0x31b0c0 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x52) returned 0x31fcd0 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c) returned 0x31b110 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xd6) returned 0x31fd30 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2e) returned 0x31ea70 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1e) returned 0x317a50 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2c) returned 0x31eab0 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x54) returned 0x31fe10 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x52) returned 0x31fe70 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2c) returned 0x31eaf0 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x26) returned 0x317a80 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3e) returned 0x31b160 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x24) returned 0x317ab0 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x31eb30 [0053.331] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x8c) returned 0x31fed0 [0053.332] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x320360 | out: hHeap=0x300000) returned 1 [0053.332] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1000) returned 0x320fd0 [0053.332] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0053.333] GetStartupInfoW (in: lpStartupInfo=0x1cf8c0 | out: lpStartupInfo=0x1cf8c0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0053.333] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"1\"" [0053.333] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"1\"", pNumArgs=0x1cf890 | out: pNumArgs=0x1cf890) returned 0x3203f0*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0053.333] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0053.340] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x1000) returned 0x3240c0 [0053.341] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x16) returned 0x320e10 [0053.341] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Cpurthnvlc", cchWideChar=-1, lpMultiByteStr=0x320e10, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Cpurthnvlc", lpUsedDefaultChar=0x0) returned 11 [0053.341] GetLastError () returned 0x0 [0053.341] SetLastError (dwErrCode=0x0) [0053.341] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="CpurthnvlcW") returned 0x0 [0053.341] GetLastError () returned 0x7f [0053.341] SetLastError (dwErrCode=0x7f) [0053.341] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="CpurthnvlcA") returned 0x0 [0053.341] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="Cpurthnvlc") returned 0x7fef2ea5970 [0053.342] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x4) returned 0x320e30 [0053.342] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x320e30, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0053.342] GetActiveWindow () returned 0x0 [0079.911] VirtualAlloc (lpAddress=0x0, dwSize=0x7e000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0080.390] GetProcAddress (hModule=0x77160000, lpProcName="ExitProcess") returned 0x772a40f0 [0080.390] GetProcAddress (hModule=0x77160000, lpProcName="LoadLibraryW") returned 0x77176420 [0080.390] LoadLibraryW (lpLibFileName="ntdll.dll") returned 0x77280000 [0080.390] GetProcAddress (hModule=0x77280000, lpProcName="NtMapViewOfSection") returned 0x772d1590 [0080.390] GetProcAddress (hModule=0x77280000, lpProcName="NtOpenFile") returned 0x772d1640 [0080.390] GetProcAddress (hModule=0x77280000, lpProcName="NtOpenSection") returned 0x772d1680 [0080.390] GetProcAddress (hModule=0x77280000, lpProcName="NtCreateSection") returned 0x772d17b0 [0080.391] GetProcAddress (hModule=0x77160000, lpProcName="VirtualProtect") returned 0x771629f0 [0080.391] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentThreadId") returned 0x77173380 [0080.391] GetProcAddress (hModule=0x77160000, lpProcName="GetModuleFileNameA") returned 0x77175940 [0080.391] GetProcAddress (hModule=0x77160000, lpProcName="VirtualAlloc") returned 0x77175c40 [0080.391] GetProcAddress (hModule=0x77160000, lpProcName="GetProcessHeap") returned 0x77181a30 [0080.391] GetProcAddress (hModule=0x77160000, lpProcName="HeapAlloc") returned 0x772d33a0 [0080.391] GetProcAddress (hModule=0x77160000, lpProcName="HeapFree") returned 0x77181a50 [0080.392] GetModuleFileNameA (in: hModule=0x7fef2ea0000, lpFilename=0x1cf590, nSize=0x104 | out: lpFilename="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll")) returned 0x62 [0080.392] VirtualAlloc (lpAddress=0x0, dwSize=0x158000, flAllocationType=0x3000, flProtect=0x4) returned 0x1c60000 [0080.712] GetProcessHeap () returned 0x300000 [0080.712] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x3f80) returned 0x3250d0 [0081.964] GetProcessHeap () returned 0x300000 [0081.964] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3250d0 | out: hHeap=0x300000) returned 1 [0081.964] GetCurrentThreadId () returned 0x270 [0081.964] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1cf454 | out: lpflOldProtect=0x1cf454*=0x20) returned 1 [0081.965] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1cf454 | out: lpflOldProtect=0x1cf454*=0x40) returned 1 [0081.965] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1cf454 | out: lpflOldProtect=0x1cf454*=0x20) returned 1 [0081.965] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1cf454 | out: lpflOldProtect=0x1cf454*=0x40) returned 1 [0081.966] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1cf454 | out: lpflOldProtect=0x1cf454*=0x20) returned 1 [0081.966] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1cf454 | out: lpflOldProtect=0x1cf454*=0x40) returned 1 [0081.966] LoadLibraryW (lpLibFileName="gdiplus.dll") returned 0x1dc0000 [0081.967] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ce2c4 | out: lpflOldProtect=0x1ce2c4*=0x20) returned 1 [0081.967] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ce2c4 | out: lpflOldProtect=0x1ce2c4*=0x40) returned 1 [0081.967] NtOpenFile (in: FileHandle=0x1ce3a8, DesiredAccess=0x100020, ObjectAttributes=0x1ce3f8*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1ce428, ShareAccess=0x3, OpenOptions=0x21 | out: FileHandle=0x1ce3a8*=0x70, IoStatusBlock=0x1ce428*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0082.430] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ce2c4 | out: lpflOldProtect=0x1ce2c4*=0x20) returned 1 [0082.431] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ce2c4 | out: lpflOldProtect=0x1ce2c4*=0x40) returned 1 [0082.431] GetCurrentThreadId () returned 0x270 [0082.431] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1cef94 | out: lpflOldProtect=0x1cef94*=0x20) returned 1 [0082.432] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1cef94 | out: lpflOldProtect=0x1cef94*=0x40) returned 1 [0082.432] NtOpenFile (in: FileHandle=0x1cf060, DesiredAccess=0x100021, ObjectAttributes=0x1cf118*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1cf148, ShareAccess=0x5, OpenOptions=0x60 | out: FileHandle=0x1cf060*=0x74, IoStatusBlock=0x1cf148*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0082.432] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1cef84 | out: lpflOldProtect=0x1cef84*=0x20) returned 1 [0082.433] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1cef84 | out: lpflOldProtect=0x1cef84*=0x40) returned 1 [0082.433] GetCurrentThreadId () returned 0x270 [0082.433] NtCreateSection (in: SectionHandle=0x1cf068, DesiredAccess=0xf, ObjectAttributes=0x0, MaximumSize=0x0, SectionPageProtection=0x10, AllocationAttributes=0x1000000, FileHandle=0x74 | out: SectionHandle=0x1cf068*=0x78) returned 0x0 [0082.433] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1cee14 | out: lpflOldProtect=0x1cee14*=0x20) returned 1 [0082.434] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1cee14 | out: lpflOldProtect=0x1cee14*=0x40) returned 1 [0082.434] GetCurrentThreadId () returned 0x270 [0082.434] NtCreateSection (in: SectionHandle=0x1ceef8, DesiredAccess=0xe, ObjectAttributes=0x0, MaximumSize=0x1ceef0, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x1ceef8*=0x7c) returned 0x0 [0082.434] NtMapViewOfSection (in: SectionHandle=0x7c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1cee98*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x1cf0b8*=0x0, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x1cee98*=0x1dc0000, SectionOffset=0x0, ViewSize=0x1cf0b8*=0x161000) returned 0x0 [0082.888] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cef98 | out: lpSystemTimeAsFileTime=0x1cef98*(dwLowDateTime=0x29f50f80, dwHighDateTime=0x1d937fd)) [0082.888] GetCurrentThreadId () returned 0x270 [0082.888] GetCurrentProcessId () returned 0x32c [0082.888] QueryPerformanceCounter (in: lpPerformanceCount=0x1cefa0 | out: lpPerformanceCount=0x1cefa0*=3321717148983) returned 1 [0083.075] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0083.075] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0083.076] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0083.076] GetLastError () returned 0x7e [0083.076] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0083.076] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0083.276] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0083.944] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0083.944] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0084.132] GetProcessHeap () returned 0x300000 [0084.145] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0084.146] GetLastError () returned 0x7e [0084.146] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0084.146] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0084.146] GetLastError () returned 0x7e [0084.146] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0084.159] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c8) returned 0x331aa0 [0084.160] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0084.352] SetLastError (dwErrCode=0x7e) [0084.373] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1000) returned 0x331e70 [0084.375] GetStartupInfoW (in: lpStartupInfo=0x1cee20 | out: lpStartupInfo=0x1cee20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x1)) [0084.375] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0084.375] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0084.375] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0084.545] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"1\"" [0084.545] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"1\"" [0084.557] GetLastError () returned 0x7e [0084.557] SetLastError (dwErrCode=0x7e) [0084.557] GetLastError () returned 0x7e [0084.557] SetLastError (dwErrCode=0x7e) [0084.558] GetACP () returned 0x4e4 [0084.558] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x228) returned 0x333e80 [0084.558] IsValidCodePage (CodePage=0x4e4) returned 1 [0084.558] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1cedf0 | out: lpCPInfo=0x1cedf0) returned 1 [0084.571] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1ce690 | out: lpCPInfo=0x1ce690) returned 1 [0084.571] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ce6b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0084.571] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ce6b0, cbMultiByte=256, lpWideCharStr=0x1ce3e0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ0") returned 256 [0084.571] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ0", cchSrc=256, lpCharType=0x1ce9b0 | out: lpCharType=0x1ce9b0) returned 1 [0084.704] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ce6b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0084.704] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ce6b0, cbMultiByte=256, lpWideCharStr=0x1ce380, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0084.704] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0084.704] GetLastError () returned 0x7e [0084.704] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0084.704] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0084.704] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ce170, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0084.704] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x1ce7b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿP\x0e2", lpUsedDefaultChar=0x0) returned 256 [0084.705] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ce6b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0084.705] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ce6b0, cbMultiByte=256, lpWideCharStr=0x1ce380, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0084.705] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0084.705] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ce170, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0084.705] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x1ce8b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0084.705] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x100) returned 0x3340b0 [0084.705] RtlInitializeSListHead (in: ListHead=0x1f08410 | out: ListHead=0x1f08410) [0084.903] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77160000 [0084.903] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0084.903] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0084.903] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0084.903] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0084.903] GetProcAddress (hModule=0x77160000, lpProcName="InitializeCriticalSectionEx") returned 0x77176e50 [0084.904] GetProcAddress (hModule=0x77160000, lpProcName="InitOnceExecuteOnce") returned 0x77165d60 [0084.904] GetProcAddress (hModule=0x77160000, lpProcName="CreateEventExW") returned 0x771ac970 [0084.904] GetProcAddress (hModule=0x77160000, lpProcName="CreateSemaphoreW") returned 0x77168e00 [0084.904] GetProcAddress (hModule=0x77160000, lpProcName="CreateSemaphoreExW") returned 0x771ac8a0 [0084.904] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolTimer") returned 0x77167e90 [0084.904] GetProcAddress (hModule=0x77160000, lpProcName="SetThreadpoolTimer") returned 0x7729b2f0 [0084.904] GetProcAddress (hModule=0x77160000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x7728d8c0 [0084.904] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolTimer") returned 0x7728d620 [0084.904] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolWait") returned 0x771abe60 [0084.904] GetProcAddress (hModule=0x77160000, lpProcName="SetThreadpoolWait") returned 0x7729e170 [0084.904] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolWait") returned 0x7728c540 [0084.905] GetProcAddress (hModule=0x77160000, lpProcName="FlushProcessWriteBuffers") returned 0x772d1f80 [0084.905] GetProcAddress (hModule=0x77160000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x7734ec60 [0084.905] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentProcessorNumber") returned 0x772d0040 [0084.905] GetProcAddress (hModule=0x77160000, lpProcName="CreateSymbolicLinkW") returned 0x771d5af0 [0084.905] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentPackageId") returned 0x0 [0084.905] GetProcAddress (hModule=0x77160000, lpProcName="GetTickCount64") returned 0x77168ac0 [0084.905] GetProcAddress (hModule=0x77160000, lpProcName="GetFileInformationByHandleEx") returned 0x771712f0 [0084.905] GetProcAddress (hModule=0x77160000, lpProcName="SetFileInformationByHandle") returned 0x771ac120 [0084.905] GetProcAddress (hModule=0x77160000, lpProcName="GetSystemTimePreciseAsFileTime") returned 0x0 [0084.905] GetProcAddress (hModule=0x77160000, lpProcName="InitializeConditionVariable") returned 0x772b84f0 [0084.906] GetProcAddress (hModule=0x77160000, lpProcName="WakeConditionVariable") returned 0x7733bab0 [0084.906] GetProcAddress (hModule=0x77160000, lpProcName="WakeAllConditionVariable") returned 0x772a00b0 [0084.906] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableCS") returned 0x771ab610 [0084.906] GetProcAddress (hModule=0x77160000, lpProcName="InitializeSRWLock") returned 0x772b84f0 [0084.906] GetProcAddress (hModule=0x77160000, lpProcName="AcquireSRWLockExclusive") returned 0x772a8020 [0084.906] GetProcAddress (hModule=0x77160000, lpProcName="TryAcquireSRWLockExclusive") returned 0x7732bdd0 [0084.906] GetProcAddress (hModule=0x77160000, lpProcName="ReleaseSRWLockExclusive") returned 0x772a8050 [0084.906] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableSRW") returned 0x771ab5c0 [0084.906] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolWork") returned 0x77165d30 [0084.906] GetProcAddress (hModule=0x77160000, lpProcName="SubmitThreadpoolWork") returned 0x77292330 [0084.906] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolWork") returned 0x772921f0 [0084.907] GetProcAddress (hModule=0x77160000, lpProcName="CompareStringEx") returned 0x771abd60 [0084.907] GetProcAddress (hModule=0x77160000, lpProcName="GetLocaleInfoEx") returned 0x771635e0 [0084.907] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0084.907] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77160000 [0084.907] GetProcAddress (hModule=0x77160000, lpProcName="InitializeConditionVariable") returned 0x772b84f0 [0084.907] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableCS") returned 0x771ab610 [0084.907] GetProcAddress (hModule=0x77160000, lpProcName="WakeAllConditionVariable") returned 0x772a00b0 [0084.907] RtlInitializeConditionVariable () returned 0x772a00b0 [0084.920] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1000) returned 0x3341c0 [0085.966] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x1f08fb0, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0086.210] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xd5) returned 0x3351d0 [0086.210] GetEnvironmentStringsW () returned 0x3352b0* [0086.210] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1433, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1433 [0086.210] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x599) returned 0x335df0 [0086.210] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1433, lpMultiByteStr=0x335df0, cbMultiByte=1433, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1433 [0086.210] FreeEnvironmentStringsW (penv=0x3352b0) returned 1 [0086.210] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x128) returned 0x3352b0 [0086.210] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1f) returned 0x325c70 [0086.420] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2b) returned 0x333770 [0086.420] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x31) returned 0x3337b0 [0086.420] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c) returned 0x3300e0 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x31) returned 0x3337f0 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x18) returned 0x320e50 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x24) returned 0x325ca0 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x14) returned 0x320e70 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xd) returned 0x3353e0 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1a) returned 0x325cd0 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2e) returned 0x333830 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x19) returned 0x325d00 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x17) returned 0x335400 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xe) returned 0x335420 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xce) returned 0x335440 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3e) returned 0x330130 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1d) returned 0x325d30 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x48) returned 0x330180 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x12) returned 0x335520 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x18) returned 0x335540 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1b) returned 0x325d60 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1e) returned 0x325d90 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x29) returned 0x333870 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1e) returned 0x325dc0 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x6b) returned 0x32bde0 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x17) returned 0x335560 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xf) returned 0x335580 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x16) returned 0x3355d0 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2a) returned 0x3338b0 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x29) returned 0x3338f0 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x16) returned 0x3355f0 [0086.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x13) returned 0x335610 [0086.422] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1f) returned 0x325df0 [0086.422] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x12) returned 0x335630 [0086.422] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x18) returned 0x335650 [0086.422] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x46) returned 0x3301d0 [0086.422] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335df0 | out: hHeap=0x300000) returned 1 [0086.827] GetCurrentThread () returned 0xfffffffffffffffe [0086.827] GetThreadTimes (in: hThread=0xfffffffffffffffe, lpCreationTime=0x1ceed8, lpExitTime=0x1ceed0, lpKernelTime=0x1ceed0, lpUserTime=0x1ceed0 | out: lpCreationTime=0x1ceed8, lpExitTime=0x1ceed0, lpKernelTime=0x1ceed0, lpUserTime=0x1ceed0) returned 1 [0086.827] RtlInitializeSListHead (in: ListHead=0x1f08aa0 | out: ListHead=0x1f08aa0) [0087.038] RtlPcToFileHeader (in: PcValue=0x1eefef8, BaseOfImage=0x1cee00 | out: BaseOfImage=0x1cee00*=0x1dc0000) returned 0x1dc0000 [0087.474] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x50) returned 0x335da0 [0087.474] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x98 [0087.487] RtlWakeAllConditionVariable () returned 0x772a00b0 [0087.634] RtlWakeAllConditionVariable () returned 0x772a00b0 [0087.634] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x1ced50 | out: lpWSAData=0x1ced50) returned 0 [0087.656] RtlWakeAllConditionVariable () returned 0x772a00b0 [0087.656] RtlWakeAllConditionVariable () returned 0x772a00b0 [0087.828] RtlSizeHeap (HeapHandle=0x300000, Flags=0x0, MemoryPointer=0x3340b0) returned 0x100 [0087.828] RtlReAllocateHeap (Heap=0x300000, Flags=0x0, Ptr=0x3340b0, Size=0x200) returned 0x3361d0 [0087.966] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77280000 [0087.966] GetProcAddress (hModule=0x77280000, lpProcName="NtCreateThreadEx") returned 0x772d1d90 [0087.966] GetProcAddress (hModule=0x77280000, lpProcName="RtlNewSecurityObjectWithMultipleInheritance") returned 0x77364540 [0087.966] GetCurrentProcess () returned 0xffffffffffffffff [0087.966] NtCreateThreadEx (in: ThreadHandle=0x1f09890, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffffffffffff, lpStartAddress=0x77364540, lpParameter=0x0, CreateSuspended=1, StackZeroBits=0x0, SizeOfStackCommit=0x0, SizeOfStackReserve=0x0, lpBytesBuffer=0x0 | out: ThreadHandle=0x1f09890*=0xb0, lpBytesBuffer=0x0) returned 0x0 [0087.968] GetThreadContext (in: hThread=0xb0, lpContext=0x1cea80 | out: lpContext=0x1cea80*(P1Home=0x3361a0, P2Home=0x30, P3Home=0x10, P4Home=0x7fefd4d30f5, P5Home=0x21, P6Home=0x0, ContextFlags=0x10000b, MxCsr=0x1f80, SegCs=0x33, SegDs=0x33, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x200, Dr0=0x0, Dr1=0x3340b0, Dr2=0x772d3488, Dr3=0x300230, Dr6=0x300388, Dr7=0xe00fa0001, Rax=0x0, Rcx=0x77364540, Rdx=0x0, Rbx=0x0, Rsp=0x24cfb38, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x772ac500, FltSave.ControlWord=0x27f, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x1f80, FltSave.MxCsr_Mask=0xffff, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x27f, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0x3340b0, VectorRegister.High=0x3340b0, VectorControl=0x0, DebugControl=0x1e47129, LastBranchToRip=0x0, LastBranchFromRip=0x1cf438, LastExceptionToRip=0x0, LastExceptionFromRip=0x1)) returned 1 [0088.127] SetThreadContext (hThread=0xb0, lpContext=0x1cea80*(P1Home=0x3361a0, P2Home=0x30, P3Home=0x10, P4Home=0x7fefd4d30f5, P5Home=0x21, P6Home=0x0, ContextFlags=0x10000b, MxCsr=0x1f80, SegCs=0x33, SegDs=0x33, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x200, Dr0=0x0, Dr1=0x3340b0, Dr2=0x772d3488, Dr3=0x300230, Dr6=0x300388, Dr7=0xe00fa0001, Rax=0x0, Rcx=0x1dd365c, Rdx=0x0, Rbx=0x0, Rsp=0x24cfb38, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x772ac500, FltSave.ControlWord=0x27f, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x1f80, FltSave.MxCsr_Mask=0xffff, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x27f, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0x3340b0, VectorRegister.High=0x3340b0, VectorControl=0x0, DebugControl=0x1e47129, LastBranchToRip=0x0, LastBranchFromRip=0x1cf438, LastExceptionToRip=0x0, LastExceptionFromRip=0x1)) returned 1 [0088.127] ResumeThread (hThread=0xb0) returned 0x1 [0088.135] GetProcAddress (hModule=0x1dc0000, lpProcName="setPath") returned 0x1dd4604 [0088.135] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x70) returned 0x32be60 [0088.135] SetEvent (hEvent=0x98) returned 1 [0088.154] WaitForSingleObject (hHandle=0xb0, dwMilliseconds=0xffffffff) returned 0x0 [0116.652] RtlExitUserProcess (ExitCode=0x0) [0116.657] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x31cfa0 | out: hHeap=0x300000) returned 1 [0116.677] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x331aa0 | out: hHeap=0x300000) returned 1 [0117.166] WSACleanup () returned 0 [0117.735] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32be60 | out: hHeap=0x300000) returned 1 [0117.736] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335da0 | out: hHeap=0x300000) returned 1 [0117.781] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339570 | out: hHeap=0x300000) returned 1 [0117.782] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3382e0 | out: hHeap=0x300000) returned 1 [0117.782] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335690 | out: hHeap=0x300000) returned 1 [0117.783] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x334110 | out: hHeap=0x300000) returned 1 [0117.784] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x333e30 | out: hHeap=0x300000) returned 1 [0117.932] RtlInterlockedFlushSList (in: ListHead=0x1f08410 | out: ListHead=0x1f08410) returned 0x0 [0117.932] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3361d0 | out: hHeap=0x300000) returned 1 [0118.521] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3341c0 | out: hHeap=0x300000) returned 1 [0118.521] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0118.523] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x350f50 | out: hHeap=0x300000) returned 1 [0118.524] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x363020 | out: hHeap=0x300000) returned 1 [0118.524] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x334130 | out: hHeap=0x300000) returned 1 [0118.524] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3392b0 | out: hHeap=0x300000) returned 1 [0118.525] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x366c80 | out: hHeap=0x300000) returned 1 [0118.546] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0118.547] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32bfe0 | out: hHeap=0x300000) returned 1 [0118.547] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32c060 | out: hHeap=0x300000) returned 1 [0118.548] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32c0e0 | out: hHeap=0x300000) returned 1 [0118.709] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325c70 | out: hHeap=0x300000) returned 1 [0118.710] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x333770 | out: hHeap=0x300000) returned 1 [0118.710] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3337b0 | out: hHeap=0x300000) returned 1 [0118.710] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3300e0 | out: hHeap=0x300000) returned 1 [0118.711] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3337f0 | out: hHeap=0x300000) returned 1 [0118.711] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x320e50 | out: hHeap=0x300000) returned 1 [0118.711] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325ca0 | out: hHeap=0x300000) returned 1 [0118.711] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x320e70 | out: hHeap=0x300000) returned 1 [0118.711] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3353e0 | out: hHeap=0x300000) returned 1 [0118.711] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325cd0 | out: hHeap=0x300000) returned 1 [0118.711] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x333830 | out: hHeap=0x300000) returned 1 [0118.711] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325d00 | out: hHeap=0x300000) returned 1 [0118.711] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335400 | out: hHeap=0x300000) returned 1 [0118.711] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335420 | out: hHeap=0x300000) returned 1 [0118.712] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335440 | out: hHeap=0x300000) returned 1 [0118.712] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330130 | out: hHeap=0x300000) returned 1 [0118.712] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325d30 | out: hHeap=0x300000) returned 1 [0118.712] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330180 | out: hHeap=0x300000) returned 1 [0118.712] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335520 | out: hHeap=0x300000) returned 1 [0118.712] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335540 | out: hHeap=0x300000) returned 1 [0118.712] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325d60 | out: hHeap=0x300000) returned 1 [0118.712] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325d90 | out: hHeap=0x300000) returned 1 [0118.713] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x333870 | out: hHeap=0x300000) returned 1 [0118.713] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325dc0 | out: hHeap=0x300000) returned 1 [0118.713] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32bde0 | out: hHeap=0x300000) returned 1 [0118.713] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335560 | out: hHeap=0x300000) returned 1 [0118.713] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335580 | out: hHeap=0x300000) returned 1 [0118.713] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3355d0 | out: hHeap=0x300000) returned 1 [0118.714] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3338b0 | out: hHeap=0x300000) returned 1 [0118.714] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3338f0 | out: hHeap=0x300000) returned 1 [0118.714] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3355f0 | out: hHeap=0x300000) returned 1 [0118.714] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335610 | out: hHeap=0x300000) returned 1 [0118.714] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325df0 | out: hHeap=0x300000) returned 1 [0118.714] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335630 | out: hHeap=0x300000) returned 1 [0118.714] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335650 | out: hHeap=0x300000) returned 1 [0118.714] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3301d0 | out: hHeap=0x300000) returned 1 [0118.715] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3352b0 | out: hHeap=0x300000) returned 1 [0118.715] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x333e80 | out: hHeap=0x300000) returned 1 [0118.716] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3351d0 | out: hHeap=0x300000) returned 1 [0118.877] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x331e70 | out: hHeap=0x300000) returned 1 [0118.877] FreeLibrary (hLibModule=0x7fefa010000) returned 1 [0118.877] FreeLibrary (hLibModule=0x77160000) returned 1 [0118.891] FreeLibrary (hLibModule=0x7fefa010000) returned 1 [0118.891] FreeLibrary (hLibModule=0x77160000) returned 1 Thread: id = 64 os_tid = 0xb48 [0088.175] GetLastError () returned 0x57 [0088.175] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0088.176] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x78) returned 0x32bee0 [0088.176] SetLastError (dwErrCode=0x57) [0088.176] GetLastError () returned 0x57 [0088.327] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c8) returned 0x337c70 [0088.327] SetLastError (dwErrCode=0x57) [0088.602] LoadLibraryExW (lpLibFileName="api-ms-win-core-sysinfo-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0088.603] GetLastError () returned 0x7e [0088.627] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24cf5c0 | out: lpSystemTimeAsFileTime=0x24cf5c0*(dwLowDateTime=0x2c1cf890, dwHighDateTime=0x1d937fd)) [0088.627] GetLastError () returned 0x7e [0088.627] SetLastError (dwErrCode=0x7e) [0088.627] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0088.627] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x70) returned 0x32bf60 [0088.815] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x260) returned 0x338040 [0089.161] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0089.161] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x38) returned 0x333e30 [0089.322] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x2) returned 0x334110 [0089.322] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x334110 | out: hHeap=0x300000) returned 1 [0089.322] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x2) returned 0x334110 [0089.322] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x3382e0 [0089.341] GetLastError () returned 0x7e [0089.341] SetLastError (dwErrCode=0x7e) [0089.341] GetLastError () returned 0x7e [0089.341] SetLastError (dwErrCode=0x7e) [0089.730] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x158) returned 0x3392b0 [0089.944] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x6a6) returned 0x339410 [0089.944] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339410 | out: hHeap=0x300000) returned 1 [0090.158] GetLastError () returned 0x7e [0090.392] SetLastError (dwErrCode=0x7e) [0090.600] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x6) returned 0x334130 [0091.240] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x2) returned 0x334150 [0091.481] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x4) returned 0x334170 [0091.481] GetLastError () returned 0x7e [0091.481] SetLastError (dwErrCode=0x7e) [0091.481] GetLastError () returned 0x7e [0091.481] SetLastError (dwErrCode=0x7e) [0091.481] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x158) returned 0x339410 [0091.482] GetLastError () returned 0x7e [0091.482] SetLastError (dwErrCode=0x7e) [0091.699] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x6a6) returned 0x339570 [0091.699] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339570 | out: hHeap=0x300000) returned 1 [0091.700] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x334130 | out: hHeap=0x300000) returned 1 [0091.700] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3392b0 | out: hHeap=0x300000) returned 1 [0091.700] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x334170 | out: hHeap=0x300000) returned 1 [0091.700] GetLastError () returned 0x7e [0091.700] SetLastError (dwErrCode=0x7e) [0091.700] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x6) returned 0x334130 [0091.700] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x2) returned 0x334170 [0091.700] GetLastError () returned 0x7e [0091.701] SetLastError (dwErrCode=0x7e) [0091.701] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x200) returned 0x339570 [0091.701] GetLastError () returned 0x7e [0091.701] SetLastError (dwErrCode=0x7e) [0091.701] GetLastError () returned 0x7e [0091.702] SetLastError (dwErrCode=0x7e) [0091.702] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x4) returned 0x334190 [0091.702] GetLastError () returned 0x7e [0091.702] SetLastError (dwErrCode=0x7e) [0091.702] GetLastError () returned 0x7e [0091.702] SetLastError (dwErrCode=0x7e) [0091.702] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x158) returned 0x3392b0 [0091.702] GetLastError () returned 0x7e [0091.702] SetLastError (dwErrCode=0x7e) [0091.702] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x6a6) returned 0x339780 [0091.703] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339780 | out: hHeap=0x300000) returned 1 [0091.703] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x334130 | out: hHeap=0x300000) returned 1 [0091.703] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339410 | out: hHeap=0x300000) returned 1 [0091.703] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x334190 | out: hHeap=0x300000) returned 1 [0091.703] GetLastError () returned 0x7e [0091.704] SetLastError (dwErrCode=0x7e) [0091.704] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x6) returned 0x334130 [0091.704] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x334170 | out: hHeap=0x300000) returned 1 [0091.704] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x334150 | out: hHeap=0x300000) returned 1 [0092.207] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335690 [0092.221] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0092.221] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x25a) returned 0x339780 [0092.588] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0093.092] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325eb0 [0093.092] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325ee0 [0093.092] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0093.108] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325eb0 | out: hHeap=0x300000) returned 1 [0093.108] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325eb0 [0093.108] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x60) returned 0x32d600 [0093.109] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0093.109] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x80) returned 0x339410 [0093.110] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32d600 | out: hHeap=0x300000) returned 1 [0093.111] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325f10 [0093.111] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xc0) returned 0x3394a0 [0093.112] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339410 | out: hHeap=0x300000) returned 1 [0093.476] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325f40 [0093.476] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325f70 [0093.477] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x120) returned 0x3399f0 [0093.477] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3394a0 | out: hHeap=0x300000) returned 1 [0093.477] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325fa0 [0093.477] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325fd0 [0093.477] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x1a0) returned 0x339b20 [0093.478] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3399f0 | out: hHeap=0x300000) returned 1 [0093.478] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x326000 [0093.478] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x326030 [0093.478] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x326060 [0093.478] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x326090 [0093.478] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x260) returned 0x339cd0 [0093.478] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339b20 | out: hHeap=0x300000) returned 1 [0093.478] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x3260c0 [0093.478] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x3260f0 [0093.478] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x326120 [0093.478] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x326150 [0093.478] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x326180 [0093.478] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x339f70 [0093.479] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x380) returned 0x33ab40 [0093.479] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339cd0 | out: hHeap=0x300000) returned 1 [0093.479] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x339fa0 [0093.479] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x339fd0 [0093.480] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a000 [0093.480] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a030 [0093.480] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a060 [0093.480] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a090 [0093.480] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a0c0 [0093.480] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a0f0 [0093.480] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a120 [0093.480] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x540) returned 0x3399f0 [0093.480] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33ab40 | out: hHeap=0x300000) returned 1 [0093.480] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a150 [0093.480] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a180 [0093.480] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a1b0 [0093.480] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a1e0 [0093.494] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a210 [0093.494] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0093.495] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339780 | out: hHeap=0x300000) returned 1 [0093.495] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0093.803] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0093.823] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0093.823] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0093.823] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3356d0 [0093.823] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0093.823] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0093.824] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0093.824] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0093.824] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0093.824] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0093.824] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330270 [0093.824] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0093.824] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0093.824] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0093.824] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3356d0 [0093.825] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0093.825] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0093.825] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0093.825] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0093.825] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0093.826] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0093.826] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x80) returned 0x339410 [0093.826] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330270 | out: hHeap=0x300000) returned 1 [0093.826] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0093.827] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0093.827] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0093.827] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xf) returned 0x3356d0 [0093.827] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0093.827] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0093.827] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0093.828] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0093.828] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0093.828] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0093.828] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xc0) returned 0x3394a0 [0093.828] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339410 | out: hHeap=0x300000) returned 1 [0093.829] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0093.829] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0093.829] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0093.829] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356d0 [0093.829] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0093.829] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0093.829] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0093.830] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0093.830] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0093.830] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0093.830] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x100) returned 0x339780 [0093.830] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3394a0 | out: hHeap=0x300000) returned 1 [0093.830] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0093.830] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0093.831] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0093.831] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x13) returned 0x3356d0 [0093.831] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0093.831] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0093.831] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0093.831] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0093.832] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0093.832] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0093.832] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x180) returned 0x33ab40 [0093.832] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339780 | out: hHeap=0x300000) returned 1 [0093.832] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0093.832] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0093.833] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0093.833] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3356d0 [0093.833] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0093.833] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0093.834] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0093.834] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0093.834] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0093.834] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0093.834] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0093.834] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0093.834] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0093.834] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356d0 [0093.834] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0093.834] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0093.835] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0093.836] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0093.836] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0093.836] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0093.836] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x240) returned 0x339780 [0093.836] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33ab40 | out: hHeap=0x300000) returned 1 [0093.836] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0093.837] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0093.837] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0093.837] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xe) returned 0x3356d0 [0093.837] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0093.837] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0093.837] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.013] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.013] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.013] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.014] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.014] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.014] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.014] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3356d0 [0094.014] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.015] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.015] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.015] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.015] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.015] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.016] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.016] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.016] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.016] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3356d0 [0094.016] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.016] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.017] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.017] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.017] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.017] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.017] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x340) returned 0x33ab40 [0094.017] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339780 | out: hHeap=0x300000) returned 1 [0094.018] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.018] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.018] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.018] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x13) returned 0x3356d0 [0094.018] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.018] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.019] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.019] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.019] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.019] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.019] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.019] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.020] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.020] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3356d0 [0094.020] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.020] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.021] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.021] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.022] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.022] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.022] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.022] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.023] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.023] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x13) returned 0x3356d0 [0094.023] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.023] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.023] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.023] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.023] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.023] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.024] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.024] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.024] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.025] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3356d0 [0094.025] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.025] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.025] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.025] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.025] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.025] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.025] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x4c0) returned 0x33ae90 [0094.026] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33ab40 | out: hHeap=0x300000) returned 1 [0094.027] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.027] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.027] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.027] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3356d0 [0094.027] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.027] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.027] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.027] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.027] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.027] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.028] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.028] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.028] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.028] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3356d0 [0094.028] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.028] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.029] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.029] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.029] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.029] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.029] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.029] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.029] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.030] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356d0 [0094.030] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.030] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.030] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.031] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.031] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.031] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.031] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.031] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.031] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.032] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356d0 [0094.032] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.032] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.033] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.033] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.033] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.033] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.033] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.033] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.033] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.033] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3356d0 [0094.034] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.034] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.034] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.034] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.034] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.034] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.035] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.035] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.035] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.035] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3356d0 [0094.035] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.035] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.036] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.036] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.036] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.036] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.036] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x700) returned 0x33b360 [0094.036] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33ae90 | out: hHeap=0x300000) returned 1 [0094.037] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.037] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.037] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.037] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3356d0 [0094.037] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.037] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.038] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.038] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.038] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.038] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.038] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.038] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.039] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.039] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3356d0 [0094.039] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.039] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.039] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.039] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.039] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.039] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.040] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.040] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.040] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.041] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3356d0 [0094.041] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.041] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.041] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.042] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.042] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.042] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.042] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.042] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.043] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.043] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3356d0 [0094.043] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.043] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.043] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.043] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.043] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.044] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.044] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.044] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.045] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.045] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3356d0 [0094.045] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.045] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.045] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.045] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.045] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.046] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.046] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.046] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.046] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.046] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356d0 [0094.046] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.046] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.047] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.047] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.047] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.047] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.047] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.047] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.047] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.048] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3356d0 [0094.048] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.048] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.048] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.048] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.048] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.048] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.049] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.049] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.275] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.276] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3356d0 [0094.276] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.276] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.276] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.276] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.276] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.276] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.277] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.277] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.277] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.277] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x13) returned 0x3356d0 [0094.277] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.277] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.278] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.278] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.278] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.278] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.278] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xa80) returned 0x33ba70 [0094.278] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33b360 | out: hHeap=0x300000) returned 1 [0094.279] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.279] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.279] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.279] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356d0 [0094.279] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.279] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.280] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.280] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.280] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.280] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.280] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.280] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.280] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.280] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3356d0 [0094.280] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.281] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.281] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.281] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.281] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.281] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.282] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.282] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.282] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.282] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x13) returned 0x3356d0 [0094.282] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.282] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.283] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.283] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.283] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.283] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.283] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.283] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x335670 [0094.283] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3356b0 [0094.283] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3356d0 [0094.284] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e80 [0094.284] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330220 [0094.284] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e80 | out: hHeap=0x300000) returned 1 [0094.552] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356d0 | out: hHeap=0x300000) returned 1 [0094.552] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3356b0 | out: hHeap=0x300000) returned 1 [0094.552] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335670 | out: hHeap=0x300000) returned 1 [0094.567] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330220 | out: hHeap=0x300000) returned 1 [0094.567] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325ee0 | out: hHeap=0x300000) returned 1 [0094.567] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325eb0 | out: hHeap=0x300000) returned 1 [0094.568] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325f10 | out: hHeap=0x300000) returned 1 [0094.568] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325f40 | out: hHeap=0x300000) returned 1 [0094.569] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325f70 | out: hHeap=0x300000) returned 1 [0094.570] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325fa0 | out: hHeap=0x300000) returned 1 [0094.570] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325fd0 | out: hHeap=0x300000) returned 1 [0094.571] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326000 | out: hHeap=0x300000) returned 1 [0094.571] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326030 | out: hHeap=0x300000) returned 1 [0094.571] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326060 | out: hHeap=0x300000) returned 1 [0094.572] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326090 | out: hHeap=0x300000) returned 1 [0094.572] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3260c0 | out: hHeap=0x300000) returned 1 [0094.572] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3260f0 | out: hHeap=0x300000) returned 1 [0094.573] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326120 | out: hHeap=0x300000) returned 1 [0094.573] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326150 | out: hHeap=0x300000) returned 1 [0094.573] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326180 | out: hHeap=0x300000) returned 1 [0094.574] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339f70 | out: hHeap=0x300000) returned 1 [0094.574] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339fa0 | out: hHeap=0x300000) returned 1 [0094.575] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339fd0 | out: hHeap=0x300000) returned 1 [0094.575] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a000 | out: hHeap=0x300000) returned 1 [0094.576] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a030 | out: hHeap=0x300000) returned 1 [0094.576] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a060 | out: hHeap=0x300000) returned 1 [0094.577] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a090 | out: hHeap=0x300000) returned 1 [0094.577] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a0c0 | out: hHeap=0x300000) returned 1 [0094.578] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a0f0 | out: hHeap=0x300000) returned 1 [0094.578] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a120 | out: hHeap=0x300000) returned 1 [0094.578] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a150 | out: hHeap=0x300000) returned 1 [0094.579] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a180 | out: hHeap=0x300000) returned 1 [0094.579] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a1b0 | out: hHeap=0x300000) returned 1 [0094.579] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a1e0 | out: hHeap=0x300000) returned 1 [0094.580] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a210 | out: hHeap=0x300000) returned 1 [0094.581] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3399f0 | out: hHeap=0x300000) returned 1 [0094.854] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x338040 | out: hHeap=0x300000) returned 1 [0094.868] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0094.877] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0099.773] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77280000 [0099.773] GetProcAddress (hModule=0x77280000, lpProcName="ZwAllocateVirtualMemory") returned 0x772d1490 [0099.773] GetProcAddress (hModule=0x77280000, lpProcName="ZwWriteVirtualMemory") returned 0x772d16b0 [0099.773] GetProcAddress (hModule=0x77280000, lpProcName="ZwReadVirtualMemory") returned 0x772d1700 [0099.774] GetProcAddress (hModule=0x77280000, lpProcName="ZwGetContextThread") returned 0x772d1fe0 [0099.774] GetProcAddress (hModule=0x77280000, lpProcName="ZwSetContextThread") returned 0x772d2840 [0100.239] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x3484c0 [0100.258] CoCreateInstance (in: rclsid=0x1ea57e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1ea57f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x24cf470 | out: ppv=0x24cf470*=0x3359f0) returned 0x0 [0100.687] WbemLocator:IWbemLocator:ConnectServer (in: This=0x3359f0, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x24cf468 | out: ppNamespace=0x24cf468*=0x3636d0) returned 0x0 [0104.539] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x7fefd730000 [0104.539] GetProcAddress (hModule=0x7fefd730000, lpProcName="CoSetProxyBlanket") returned 0x7fefd76bf00 [0104.540] CoSetProxyBlanket (pProxy=0x3636d0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0104.555] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x18) returned 0x335d10 [0104.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3484c0, cbMultiByte=35, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 35 [0104.570] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3484c0, cbMultiByte=35, lpWideCharStr=0x24cf360, cchWideChar=35 | out: lpWideCharStr="SELECT * FROM Win32_ComputerSystem") returned 35 [0104.571] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x18) returned 0x335d30 [0104.571] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1ebb258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0104.571] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1ebb258, cbMultiByte=4, lpWideCharStr=0x24cf3a0, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0104.571] IWbemServices:ExecQuery (in: This=0x3636d0, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystem", lFlags=48, pCtx=0x0, ppEnum=0x24cf478 | out: ppEnum=0x24cf478*=0x36a720) returned 0x0 [0104.911] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335d30 | out: hHeap=0x300000) returned 1 [0104.911] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335d10 | out: hHeap=0x300000) returned 1 [0104.911] IEnumWbemClassObject:Next (in: This=0x36a720, lTimeout=-1, uCount=0x1, apObjects=0x24cf480, puReturned=0x24cf598 | out: apObjects=0x24cf480*=0x36e530, puReturned=0x24cf598*=0x1) returned 0x0 [0105.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x24cf5d0, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0105.450] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x24cf5d0, cbMultiByte=4, lpWideCharStr=0x24cf398, cchWideChar=4 | out: lpWideCharStr="Name") returned 4 [0105.820] IWbemClassObject:Get (in: This=0x36e530, wszName="Name", lFlags=0, pVal=0x24cf520*(varType=0x0, wReserved1=0x34, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x24cf520*(varType=0x8, wReserved1=0x34, wReserved2=0x0, wReserved3=0x0, varVal1="Q9IATRKPRH", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0106.078] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x34bd70 [0106.079] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Q9IATRKPRH", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0106.103] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Q9IATRKPRH", cchWideChar=10, lpMultiByteStr=0x24cf3b8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Q9IATRKPRH", lpUsedDefaultChar=0x0) returned 10 [0106.477] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x34bd70 | out: hHeap=0x300000) returned 1 [0106.477] IUnknown:Release (This=0x36e530) returned 0x0 [0106.477] WbemLocator:IUnknown:Release (This=0x3636d0) returned 0x0 [0106.716] WbemLocator:IUnknown:Release (This=0x3359f0) returned 0x0 [0106.716] IUnknown:Release (This=0x36a720) returned 0x0 [0106.744] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3484c0 | out: hHeap=0x300000) returned 1 [0107.103] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) [0107.103] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x3484c0 [0107.103] CoCreateInstance (in: rclsid=0x1ea57e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1ea57f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x24cf470 | out: ppv=0x24cf470*=0x335d30) returned 0x0 [0107.103] WbemLocator:IWbemLocator:ConnectServer (in: This=0x335d30, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x24cf468 | out: ppNamespace=0x24cf468*=0x3636d0) returned 0x0 [0107.287] CoSetProxyBlanket (pProxy=0x3636d0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0107.287] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x18) returned 0x3359f0 [0107.287] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3484c0, cbMultiByte=42, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 42 [0107.287] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3484c0, cbMultiByte=42, lpWideCharStr=0x24cf350, cchWideChar=42 | out: lpWideCharStr="SELECT * FROM Win32_ComputerSystemProduct") returned 42 [0107.287] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x18) returned 0x36bdb0 [0107.287] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1ebb258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0107.287] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1ebb258, cbMultiByte=4, lpWideCharStr=0x24cf3a0, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0107.287] IWbemServices:ExecQuery (in: This=0x3636d0, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystemProduct", lFlags=48, pCtx=0x0, ppEnum=0x24cf478 | out: ppEnum=0x24cf478*=0x36a720) returned 0x0 [0107.290] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x36bdb0 | out: hHeap=0x300000) returned 1 [0107.291] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3359f0 | out: hHeap=0x300000) returned 1 [0107.291] IEnumWbemClassObject:Next (in: This=0x36a720, lTimeout=-1, uCount=0x1, apObjects=0x24cf480, puReturned=0x24cf598 | out: apObjects=0x24cf480*=0x36cca0, puReturned=0x24cf598*=0x1) returned 0x0 [0107.903] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x24cf5d0, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0108.168] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x24cf5d0, cbMultiByte=4, lpWideCharStr=0x24cf398, cchWideChar=4 | out: lpWideCharStr="UUID") returned 4 [0108.773] IWbemClassObject:Get (in: This=0x36cca0, wszName="UUID", lFlags=0, pVal=0x24cf520*(varType=0x0, wReserved1=0x34, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x24cf520*(varType=0x8, wReserved1=0x34, wReserved2=0x0, wReserved3=0x0, varVal1="4C4C4544-0050-3710-8058-CAC04F59344A", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0109.356] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x50) returned 0x347ba0 [0109.356] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4C4C4544-0050-3710-8058-CAC04F59344A", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0109.372] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x35de10 [0110.011] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4C4C4544-0050-3710-8058-CAC04F59344A", cchWideChar=36, lpMultiByteStr=0x35de10, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="4C4C4544-0050-3710-8058-CAC04F59344A", lpUsedDefaultChar=0x0) returned 36 [0110.012] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x347ba0 | out: hHeap=0x300000) returned 1 [0110.012] IUnknown:Release (This=0x36cca0) returned 0x0 [0110.012] WbemLocator:IUnknown:Release (This=0x3636d0) returned 0x0 [0110.295] WbemLocator:IUnknown:Release (This=0x335d30) returned 0x0 [0110.295] IUnknown:Release (This=0x36a720) returned 0x0 [0110.337] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3484c0 | out: hHeap=0x300000) returned 1 [0110.781] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x3484c0 [0111.678] GetLastError () returned 0x0 [0112.137] SetLastError (dwErrCode=0x0) [0112.603] GetLastError () returned 0x0 [0112.603] SetLastError (dwErrCode=0x0) [0112.603] GetLastError () returned 0x0 [0112.603] SetLastError (dwErrCode=0x0) [0112.603] GetLastError () returned 0x0 [0112.603] SetLastError (dwErrCode=0x0) [0112.603] GetLastError () returned 0x0 [0112.603] SetLastError (dwErrCode=0x0) [0112.603] GetLastError () returned 0x0 [0112.603] SetLastError (dwErrCode=0x0) [0112.603] GetLastError () returned 0x0 [0112.603] SetLastError (dwErrCode=0x0) [0112.603] GetLastError () returned 0x0 [0112.603] SetLastError (dwErrCode=0x0) [0112.603] GetLastError () returned 0x0 [0112.603] SetLastError (dwErrCode=0x0) [0112.603] GetLastError () returned 0x0 [0112.604] SetLastError (dwErrCode=0x0) [0112.604] GetLastError () returned 0x0 [0112.604] SetLastError (dwErrCode=0x0) [0112.604] GetLastError () returned 0x0 [0112.604] SetLastError (dwErrCode=0x0) [0112.604] GetLastError () returned 0x0 [0112.604] SetLastError (dwErrCode=0x0) [0112.604] GetLastError () returned 0x0 [0112.604] SetLastError (dwErrCode=0x0) [0112.604] GetLastError () returned 0x0 [0112.604] SetLastError (dwErrCode=0x0) [0112.604] GetLastError () returned 0x0 [0112.604] SetLastError (dwErrCode=0x0) [0112.604] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x35ddd0 [0112.604] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x35ddd0, cbMultiByte=32, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 32 [0112.604] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x50) returned 0x3478a0 [0112.604] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x35ddd0, cbMultiByte=32, lpWideCharStr=0x3478a0, cchWideChar=32 | out: lpWideCharStr="aa360b8ffe2aca5f0f5c1f9ffd6f6a58") returned 32 [0112.604] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="aa360b8ffe2aca5f0f5c1f9ffd6f6a58") returned 0x180 [0112.605] GetLastError () returned 0xb7 [0112.605] CloseHandle (hObject=0x180) returned 1 [0112.605] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3478a0 | out: hHeap=0x300000) returned 1 [0112.606] CoUninitialize () [0113.003] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x35ddd0 | out: hHeap=0x300000) returned 1 [0113.003] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3484c0 | out: hHeap=0x300000) returned 1 [0113.003] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x35de10 | out: hHeap=0x300000) returned 1 [0113.118] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33ba70 | out: hHeap=0x300000) returned 1 [0113.119] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32bf60 | out: hHeap=0x300000) returned 1 [0113.119] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32bee0 | out: hHeap=0x300000) returned 1 [0113.139] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x337c70 | out: hHeap=0x300000) returned 1 Thread: id = 146 os_tid = 0xdd8 Thread: id = 147 os_tid = 0xf98 [0101.634] GetLastError () returned 0x57 [0101.995] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x78) returned 0x32bfe0 [0101.995] SetLastError (dwErrCode=0x57) [0102.018] GetLastError () returned 0x57 [0102.320] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c8) returned 0x350f50 [0102.649] SetLastError (dwErrCode=0x57) Thread: id = 148 os_tid = 0xf94 [0103.912] GetLastError () returned 0x57 [0103.912] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x78) returned 0x32c060 [0103.912] SetLastError (dwErrCode=0x57) [0103.912] GetLastError () returned 0x57 [0103.912] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c8) returned 0x363020 [0103.912] SetLastError (dwErrCode=0x57) Thread: id = 149 os_tid = 0xfbc [0103.914] GetLastError () returned 0x57 [0103.914] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x78) returned 0x32c0e0 [0103.914] SetLastError (dwErrCode=0x57) [0103.914] GetLastError () returned 0x57 [0103.914] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c8) returned 0x366c80 [0103.914] SetLastError (dwErrCode=0x57) Process: id = "13" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x42031000" os_pid = "0x938" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"1\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 854 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 855 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 856 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 857 start_va = 0x1d0000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 858 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 859 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 860 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 861 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 862 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 863 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 864 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 865 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 866 start_va = 0x2d0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 867 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 868 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 869 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 870 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 871 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 872 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 873 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 874 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 875 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 876 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 877 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 878 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 879 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 880 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 881 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 882 start_va = 0x4c0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 883 start_va = 0xc0000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 884 start_va = 0x2d0000 end_va = 0x2f8fff monitored = 0 entry_point = 0x2d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 885 start_va = 0x3c0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 886 start_va = 0x4c0000 end_va = 0x647fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 887 start_va = 0x6a0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 888 start_va = 0x2d0000 end_va = 0x2f8fff monitored = 0 entry_point = 0x2d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 889 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 890 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 891 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 892 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 893 start_va = 0x6b0000 end_va = 0x830fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 894 start_va = 0x840000 end_va = 0x1c3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 895 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 896 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 899 start_va = 0x2d0000 end_va = 0x2d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 900 start_va = 0x2e0000 end_va = 0x2e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 901 start_va = 0x2f0000 end_va = 0x2f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Thread: id = 28 os_tid = 0x120 [0054.346] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfcd8 | out: lpSystemTimeAsFileTime=0x2cfcd8*(dwLowDateTime=0x1a9f2840, dwHighDateTime=0x1d937fd)) [0054.346] GetCurrentThreadId () returned 0x120 [0054.346] GetCurrentProcessId () returned 0x938 [0054.346] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfce0 | out: lpPerformanceCount=0x2cfce0*=3317886348324) returned 1 [0054.347] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0054.350] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0054.350] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0054.350] GetLastError () returned 0x7e [0054.350] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0054.351] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0054.351] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0054.352] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0054.352] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0054.352] GetProcessHeap () returned 0x3c0000 [0054.352] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0054.353] GetLastError () returned 0x7e [0054.353] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0054.353] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0054.353] GetLastError () returned 0x7e [0054.353] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0054.353] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0054.353] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3c8) returned 0x3dcfa0 [0054.354] SetLastError (dwErrCode=0x7e) [0054.354] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1200) returned 0x3dd370 [0054.356] GetStartupInfoW (in: lpStartupInfo=0x2cfbb0 | out: lpStartupInfo=0x2cfbb0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x2cfc38, hStdError=0x1)) [0054.356] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0054.356] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0054.356] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0054.356] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"1\"" [0054.356] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"1\"" [0054.356] GetACP () returned 0x4e4 [0054.356] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x228) returned 0x3dab80 [0054.356] IsValidCodePage (CodePage=0x4e4) returned 1 [0054.356] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2cfb70 | out: lpCPInfo=0x2cfb70) returned 1 [0054.356] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2cf410 | out: lpCPInfo=0x2cf410) returned 1 [0054.356] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf430, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0054.356] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf430, cbMultiByte=256, lpWideCharStr=0x2cf160, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0054.356] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x2cf730 | out: lpCharType=0x2cf730) returned 1 [0054.357] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf430, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0054.357] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf430, cbMultiByte=256, lpWideCharStr=0x2cf100, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0054.357] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0054.357] GetLastError () returned 0x7e [0054.357] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0054.357] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0054.358] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2ceef0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0054.358] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x2cf530, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x80«=", lpUsedDefaultChar=0x0) returned 256 [0054.358] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf430, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0054.358] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf430, cbMultiByte=256, lpWideCharStr=0x2cf100, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0054.358] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0054.358] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2ceef0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0054.358] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x2cf630, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0054.358] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x100) returned 0x3df580 [0054.358] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0054.358] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x17e) returned 0x3df690 [0054.358] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0054.358] GetLastError () returned 0x0 [0054.358] SetLastError (dwErrCode=0x0) [0054.358] GetEnvironmentStringsW () returned 0x3df820* [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0xb32) returned 0x3e0360 [0054.359] FreeEnvironmentStringsW (penv=0x3df820) returned 1 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x128) returned 0x3e0ea0 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3e) returned 0x3dafd0 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x56) returned 0x3dadb0 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x62) returned 0x3df820 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x78) returned 0x3df890 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x62) returned 0x3df910 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x30) returned 0x3de8f0 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x48) returned 0x3db020 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x28) returned 0x3d7990 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1a) returned 0x3d79c0 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x34) returned 0x3de930 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x5c) returned 0x3df980 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x32) returned 0x3de970 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x2e) returned 0x3de9b0 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1c) returned 0x3d79f0 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x19c) returned 0x3df9f0 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x7c) returned 0x3dfba0 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3a) returned 0x3db070 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x90) returned 0x3dfc30 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x24) returned 0x3d7a20 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x30) returned 0x3de9f0 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x36) returned 0x3dea30 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3c) returned 0x3db0c0 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x52) returned 0x3dfcd0 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3c) returned 0x3db110 [0054.359] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xd6) returned 0x3dfd30 [0054.360] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x2e) returned 0x3dea70 [0054.360] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1e) returned 0x3d7a50 [0054.360] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x2c) returned 0x3deab0 [0054.360] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x54) returned 0x3dfe10 [0054.360] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x52) returned 0x3dfe70 [0054.360] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x2c) returned 0x3deaf0 [0054.360] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x26) returned 0x3d7a80 [0054.360] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3e) returned 0x3db160 [0054.360] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x24) returned 0x3d7ab0 [0054.360] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x30) returned 0x3deb30 [0054.360] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x8c) returned 0x3dfed0 [0054.360] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3e0360 | out: hHeap=0x3c0000) returned 1 [0054.360] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1000) returned 0x3e0fd0 [0054.361] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0054.361] GetStartupInfoW (in: lpStartupInfo=0x2cfc40 | out: lpStartupInfo=0x2cfc40*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0054.361] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"1\"" [0054.361] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"1\"", pNumArgs=0x2cfc10 | out: pNumArgs=0x2cfc10) returned 0x3e03f0*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0054.361] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0054.625] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x1000) returned 0x3e40c0 [0054.625] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x12) returned 0x3e0e10 [0054.625] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="FPH732n7", cchWideChar=-1, lpMultiByteStr=0x3e0e10, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FPH732n7", lpUsedDefaultChar=0x0) returned 9 [0054.625] GetLastError () returned 0x0 [0054.625] SetLastError (dwErrCode=0x0) [0054.626] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7W") returned 0x0 [0054.626] GetLastError () returned 0x7f [0054.626] SetLastError (dwErrCode=0x7f) [0054.626] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7A") returned 0x0 [0054.626] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7") returned 0x7fef2eb1cf0 [0054.626] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x4) returned 0x3e0e30 [0054.626] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x3e0e30, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0054.626] GetActiveWindow () returned 0x0 [0054.627] GetLastError () returned 0x7f [0054.627] SetLastError (dwErrCode=0x7f) Process: id = "14" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x42d44000" os_pid = "0x618" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"1\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 902 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 903 start_va = 0x30000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 904 start_va = 0x130000 end_va = 0x133fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 905 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 906 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 907 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 908 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 909 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 910 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 911 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 912 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 913 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 914 start_va = 0x150000 end_va = 0x31ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 915 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 916 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 917 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 918 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 919 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 920 start_va = 0x150000 end_va = 0x1b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 921 start_va = 0x220000 end_va = 0x31ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 922 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 923 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 924 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 925 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 926 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 927 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 928 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 929 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 930 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 931 start_va = 0x320000 end_va = 0x38ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 932 start_va = 0x390000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 933 start_va = 0x1c0000 end_va = 0x1e8fff monitored = 0 entry_point = 0x1c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 934 start_va = 0x490000 end_va = 0x617fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 935 start_va = 0x1c0000 end_va = 0x1e8fff monitored = 0 entry_point = 0x1c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 936 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 937 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 938 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 939 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 940 start_va = 0x620000 end_va = 0x7a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 941 start_va = 0x7b0000 end_va = 0x1baffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 942 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 943 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 944 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 947 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 948 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1125 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1126 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Thread: id = 30 os_tid = 0x95c [0055.623] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12f838 | out: lpSystemTimeAsFileTime=0x12f838*(dwLowDateTime=0x1b625900, dwHighDateTime=0x1d937fd)) [0055.623] GetCurrentThreadId () returned 0x95c [0055.623] GetCurrentProcessId () returned 0x618 [0055.623] QueryPerformanceCounter (in: lpPerformanceCount=0x12f840 | out: lpPerformanceCount=0x12f840*=3318013985402) returned 1 [0055.623] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0055.626] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0055.626] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0055.627] GetLastError () returned 0x7e [0055.627] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0055.627] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0055.627] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0055.628] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0055.628] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0055.629] GetProcessHeap () returned 0x220000 [0055.629] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0055.629] GetLastError () returned 0x7e [0055.629] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0055.629] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0055.629] GetLastError () returned 0x7e [0055.630] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0055.630] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0055.630] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x3c8) returned 0x23cfa0 [0055.631] SetLastError (dwErrCode=0x7e) [0055.631] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x1200) returned 0x23d370 [0055.633] GetStartupInfoW (in: lpStartupInfo=0x12f710 | out: lpStartupInfo=0x12f710*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x12f798, hStdError=0x1)) [0055.633] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0055.633] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0055.633] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0055.633] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"1\"" [0055.633] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"1\"" [0055.633] GetACP () returned 0x4e4 [0055.634] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x0, Size=0x228) returned 0x23ab80 [0055.634] IsValidCodePage (CodePage=0x4e4) returned 1 [0055.634] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12f6d0 | out: lpCPInfo=0x12f6d0) returned 1 [0055.634] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12ef70 | out: lpCPInfo=0x12ef70) returned 1 [0055.634] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12ef90, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0055.634] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12ef90, cbMultiByte=256, lpWideCharStr=0x12ecc0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0055.634] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x12f290 | out: lpCharType=0x12f290) returned 1 [0055.634] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12ef90, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0055.634] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12ef90, cbMultiByte=256, lpWideCharStr=0x12ec60, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0055.634] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0055.634] GetLastError () returned 0x7e [0055.635] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0055.635] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0055.635] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x12ea50, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0055.635] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x12f090, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x80«#", lpUsedDefaultChar=0x0) returned 256 [0055.635] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12ef90, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0055.635] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12ef90, cbMultiByte=256, lpWideCharStr=0x12ec60, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0055.635] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0055.635] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x12ea50, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0055.635] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x12f190, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0055.636] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x0, Size=0x100) returned 0x23f580 [0055.636] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0055.636] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x17e) returned 0x23f690 [0055.636] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0055.636] GetLastError () returned 0x0 [0055.636] SetLastError (dwErrCode=0x0) [0055.636] GetEnvironmentStringsW () returned 0x23f820* [0055.636] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x0, Size=0xb32) returned 0x240360 [0055.636] FreeEnvironmentStringsW (penv=0x23f820) returned 1 [0055.636] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x128) returned 0x240ea0 [0055.636] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x3e) returned 0x23afd0 [0055.636] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x56) returned 0x23adb0 [0055.636] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x62) returned 0x23f820 [0055.636] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x78) returned 0x23f890 [0055.636] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x62) returned 0x23f910 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x30) returned 0x23e8f0 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x48) returned 0x23b020 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x28) returned 0x237990 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x1a) returned 0x2379c0 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x34) returned 0x23e930 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x5c) returned 0x23f980 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x32) returned 0x23e970 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x2e) returned 0x23e9b0 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x1c) returned 0x2379f0 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x19c) returned 0x23f9f0 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x7c) returned 0x23fba0 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x3a) returned 0x23b070 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x90) returned 0x23fc30 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x24) returned 0x237a20 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x30) returned 0x23e9f0 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x36) returned 0x23ea30 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x3c) returned 0x23b0c0 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x52) returned 0x23fcd0 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x3c) returned 0x23b110 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0xd6) returned 0x23fd30 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x2e) returned 0x23ea70 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x1e) returned 0x237a50 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x2c) returned 0x23eab0 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x54) returned 0x23fe10 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x52) returned 0x23fe70 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x2c) returned 0x23eaf0 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x26) returned 0x237a80 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x3e) returned 0x23b160 [0055.637] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x24) returned 0x237ab0 [0055.638] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x30) returned 0x23eb30 [0055.638] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x8c) returned 0x23fed0 [0055.638] HeapFree (in: hHeap=0x220000, dwFlags=0x0, lpMem=0x240360 | out: hHeap=0x220000) returned 1 [0055.638] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x8, Size=0x1000) returned 0x240fd0 [0055.639] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0055.639] GetStartupInfoW (in: lpStartupInfo=0x12f7a0 | out: lpStartupInfo=0x12f7a0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0055.639] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"1\"" [0055.639] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"1\"", pNumArgs=0x12f770 | out: pNumArgs=0x12f770) returned 0x2403f0*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0055.639] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0055.646] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x0, Size=0x1000) returned 0x2440c0 [0055.646] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x0, Size=0x12) returned 0x240e10 [0055.646] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="KlXWgB9j", cchWideChar=-1, lpMultiByteStr=0x240e10, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="KlXWgB9j", lpUsedDefaultChar=0x0) returned 9 [0055.646] GetLastError () returned 0x0 [0055.646] SetLastError (dwErrCode=0x0) [0055.647] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9jW") returned 0x0 [0055.647] GetLastError () returned 0x7f [0055.647] SetLastError (dwErrCode=0x7f) [0055.647] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9jA") returned 0x0 [0055.647] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9j") returned 0x7fef2eb0010 [0055.647] RtlAllocateHeap (HeapHandle=0x220000, Flags=0x0, Size=0x4) returned 0x240e30 [0055.647] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x240e30, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0055.647] GetActiveWindow () returned 0x0 [0056.069] GetLastError () returned 0x7f [0056.069] SetLastError (dwErrCode=0x7f) Process: id = "15" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x43c57000" os_pid = "0x978" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"1\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 951 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 952 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 953 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 954 start_va = 0x1b0000 end_va = 0x2affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 955 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 956 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 957 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 958 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 959 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 960 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 961 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 962 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 963 start_va = 0x2b0000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 964 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 965 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 966 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 967 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 968 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 969 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 970 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 971 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 972 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 973 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 974 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 975 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 976 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 977 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 978 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 979 start_va = 0xc0000 end_va = 0x11ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 980 start_va = 0x450000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 981 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 982 start_va = 0x110000 end_va = 0x11ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 983 start_va = 0x550000 end_va = 0x6d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 984 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 985 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 986 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 987 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 988 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 989 start_va = 0x6e0000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 990 start_va = 0x870000 end_va = 0x1c6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 991 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 992 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 993 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 994 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 995 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Thread: id = 32 os_tid = 0x944 [0057.037] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2af918 | out: lpSystemTimeAsFileTime=0x2af918*(dwLowDateTime=0x1c3af620, dwHighDateTime=0x1d937fd)) [0057.037] GetCurrentThreadId () returned 0x944 [0057.037] GetCurrentProcessId () returned 0x978 [0057.037] QueryPerformanceCounter (in: lpPerformanceCount=0x2af920 | out: lpPerformanceCount=0x2af920*=3318155398258) returned 1 [0057.038] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0057.041] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0057.042] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0057.042] GetLastError () returned 0x7e [0057.042] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0057.042] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0057.043] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0057.043] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0057.043] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0057.044] GetProcessHeap () returned 0x350000 [0057.044] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0057.044] GetLastError () returned 0x7e [0057.044] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0057.044] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0057.045] GetLastError () returned 0x7e [0057.045] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0057.045] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0057.045] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x3c8) returned 0x36cf90 [0057.045] SetLastError (dwErrCode=0x7e) [0057.045] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x1200) returned 0x36d360 [0057.047] GetStartupInfoW (in: lpStartupInfo=0x2af7f0 | out: lpStartupInfo=0x2af7f0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x2af878, hStdError=0x1)) [0057.048] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0057.048] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0057.048] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0057.048] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"1\"" [0057.048] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"1\"" [0057.048] GetACP () returned 0x4e4 [0057.048] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x228) returned 0x36ab70 [0057.048] IsValidCodePage (CodePage=0x4e4) returned 1 [0057.048] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2af7b0 | out: lpCPInfo=0x2af7b0) returned 1 [0057.048] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2af050 | out: lpCPInfo=0x2af050) returned 1 [0057.048] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2af070, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0057.048] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2af070, cbMultiByte=256, lpWideCharStr=0x2aeda0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0057.048] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x2af370 | out: lpCharType=0x2af370) returned 1 [0057.048] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2af070, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0057.048] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2af070, cbMultiByte=256, lpWideCharStr=0x2aed40, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0057.049] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0057.049] GetLastError () returned 0x7e [0057.049] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0057.049] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0057.050] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2aeb30, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0057.050] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x2af170, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿp«6", lpUsedDefaultChar=0x0) returned 256 [0057.050] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2af070, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0057.050] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2af070, cbMultiByte=256, lpWideCharStr=0x2aed40, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0057.050] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0057.050] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2aeb30, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0057.050] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x2af270, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0057.050] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x100) returned 0x36f570 [0057.050] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0057.050] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x17c) returned 0x36f680 [0057.050] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0057.051] GetLastError () returned 0x0 [0057.051] SetLastError (dwErrCode=0x0) [0057.051] GetEnvironmentStringsW () returned 0x36f810* [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0xb32) returned 0x370350 [0057.053] FreeEnvironmentStringsW (penv=0x36f810) returned 1 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x128) returned 0x370e90 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x3e) returned 0x36afc0 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x56) returned 0x36ada0 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x62) returned 0x36f810 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x78) returned 0x36f880 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x62) returned 0x36f900 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x30) returned 0x36e8e0 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x48) returned 0x36b010 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x28) returned 0x367970 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x1a) returned 0x3679a0 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x34) returned 0x36e920 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x5c) returned 0x36f970 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x32) returned 0x36e960 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x2e) returned 0x36e9a0 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x1c) returned 0x3679d0 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x19c) returned 0x36f9e0 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x7c) returned 0x36fb90 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x3a) returned 0x36b060 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x90) returned 0x36fc20 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x24) returned 0x367a00 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x30) returned 0x36e9e0 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x36) returned 0x36ea20 [0057.053] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x3c) returned 0x36b0b0 [0057.054] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x52) returned 0x36fcc0 [0057.054] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x3c) returned 0x36b100 [0057.054] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xd6) returned 0x36fd20 [0057.054] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x2e) returned 0x36ea60 [0057.054] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x1e) returned 0x367a30 [0057.054] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x2c) returned 0x36eaa0 [0057.054] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x54) returned 0x36fe00 [0057.054] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x52) returned 0x36fe60 [0057.054] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x2c) returned 0x36eae0 [0057.054] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x26) returned 0x367a60 [0057.054] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x3e) returned 0x36b150 [0057.054] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x24) returned 0x367a90 [0057.054] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x30) returned 0x36eb20 [0057.054] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x8c) returned 0x36fec0 [0057.055] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x370350 | out: hHeap=0x350000) returned 1 [0057.055] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x1000) returned 0x370fd0 [0057.055] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0057.055] GetStartupInfoW (in: lpStartupInfo=0x2af880 | out: lpStartupInfo=0x2af880*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0057.055] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"1\"" [0057.055] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"1\"", pNumArgs=0x2af850 | out: pNumArgs=0x2af850) returned 0x3703e0*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0057.056] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0057.239] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x1000) returned 0x3740c0 [0057.239] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x10) returned 0x370e00 [0057.239] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="LKKIJ77", cchWideChar=-1, lpMultiByteStr=0x370e00, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LKKIJ77", lpUsedDefaultChar=0x0) returned 8 [0057.239] GetLastError () returned 0x0 [0057.239] SetLastError (dwErrCode=0x0) [0057.239] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77W") returned 0x0 [0057.240] GetLastError () returned 0x7f [0057.240] SetLastError (dwErrCode=0x7f) [0057.240] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77A") returned 0x0 [0057.240] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77") returned 0x7fef2ea6420 [0057.240] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x4) returned 0x370e20 [0057.240] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x370e20, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0057.240] GetActiveWindow () returned 0x0 [0057.536] GetLastError () returned 0x7f [0057.536] SetLastError (dwErrCode=0x7f) Process: id = "16" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x4286a000" os_pid = "0xdc8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"1\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 998 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 999 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1000 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1001 start_va = 0x1f0000 end_va = 0x2effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1002 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1003 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1004 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1005 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 1006 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1007 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1008 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 1009 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 1010 start_va = 0x2f0000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1011 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1012 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1013 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1014 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1015 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1016 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1017 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1018 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1019 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1020 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1021 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1022 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1023 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1024 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1025 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1026 start_va = 0xc0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1027 start_va = 0xe0000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1028 start_va = 0x2f0000 end_va = 0x318fff monitored = 0 entry_point = 0x2f1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1029 start_va = 0x3b0000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 1030 start_va = 0x4b0000 end_va = 0x637fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 1031 start_va = 0x2f0000 end_va = 0x318fff monitored = 0 entry_point = 0x2f1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1032 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1033 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1034 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1035 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1036 start_va = 0xd0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1037 start_va = 0x640000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 1038 start_va = 0x7d0000 end_va = 0x1bcffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1039 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1040 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 1041 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1042 start_va = 0x2f0000 end_va = 0x2f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1043 start_va = 0x300000 end_va = 0x300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Thread: id = 34 os_tid = 0xdc0 [0058.412] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ef858 | out: lpSystemTimeAsFileTime=0x2ef858*(dwLowDateTime=0x1d0c6f20, dwHighDateTime=0x1d937fd)) [0058.412] GetCurrentThreadId () returned 0xdc0 [0058.412] GetCurrentProcessId () returned 0xdc8 [0058.412] QueryPerformanceCounter (in: lpPerformanceCount=0x2ef860 | out: lpPerformanceCount=0x2ef860*=3318292903029) returned 1 [0058.413] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0058.416] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0058.416] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0058.417] GetLastError () returned 0x7e [0058.417] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0058.417] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0058.417] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0058.418] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0058.418] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0058.419] GetProcessHeap () returned 0x3b0000 [0058.419] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0058.419] GetLastError () returned 0x7e [0058.419] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0058.419] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0058.419] GetLastError () returned 0x7e [0058.419] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0058.419] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0058.420] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x3c8) returned 0x3ccfa0 [0058.420] SetLastError (dwErrCode=0x7e) [0058.420] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x1200) returned 0x3cd370 [0058.422] GetStartupInfoW (in: lpStartupInfo=0x2ef730 | out: lpStartupInfo=0x2ef730*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x2ef7b8, hStdError=0x1)) [0058.423] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0058.423] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0058.423] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0058.423] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"1\"" [0058.423] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"1\"" [0058.423] GetACP () returned 0x4e4 [0058.423] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x228) returned 0x3cab80 [0058.423] IsValidCodePage (CodePage=0x4e4) returned 1 [0058.423] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2ef6f0 | out: lpCPInfo=0x2ef6f0) returned 1 [0058.423] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2eef90 | out: lpCPInfo=0x2eef90) returned 1 [0058.423] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2eefb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0058.423] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2eefb0, cbMultiByte=256, lpWideCharStr=0x2eece0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0058.423] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x2ef2b0 | out: lpCharType=0x2ef2b0) returned 1 [0058.424] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2eefb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0058.424] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2eefb0, cbMultiByte=256, lpWideCharStr=0x2eec80, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0058.424] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0058.424] GetLastError () returned 0x7e [0058.424] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0058.424] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0058.425] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2eea70, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0058.425] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x2ef0b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x80«<", lpUsedDefaultChar=0x0) returned 256 [0058.425] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2eefb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0058.425] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2eefb0, cbMultiByte=256, lpWideCharStr=0x2eec80, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0058.425] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0058.425] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2eea70, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0058.425] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x2ef1b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0058.425] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x100) returned 0x3cf580 [0058.425] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0058.425] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x182) returned 0x3cf690 [0058.425] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0058.425] GetLastError () returned 0x0 [0058.425] SetLastError (dwErrCode=0x0) [0058.425] GetEnvironmentStringsW () returned 0x3cf820* [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0xb32) returned 0x3d0360 [0058.426] FreeEnvironmentStringsW (penv=0x3cf820) returned 1 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x128) returned 0x3d0ea0 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x3e) returned 0x3cafd0 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x56) returned 0x3cadb0 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x62) returned 0x3cf820 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x78) returned 0x3cf890 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x62) returned 0x3cf910 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x30) returned 0x3ce8f0 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x48) returned 0x3cb020 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x28) returned 0x3c7990 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x1a) returned 0x3c79c0 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x34) returned 0x3ce930 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x5c) returned 0x3cf980 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x32) returned 0x3ce970 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x2e) returned 0x3ce9b0 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x1c) returned 0x3c79f0 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x19c) returned 0x3cf9f0 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x7c) returned 0x3cfba0 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x3a) returned 0x3cb070 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x90) returned 0x3cfc30 [0058.426] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x24) returned 0x3c7a20 [0058.427] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x30) returned 0x3ce9f0 [0058.427] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x36) returned 0x3cea30 [0058.427] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x3c) returned 0x3cb0c0 [0058.427] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x52) returned 0x3cfcd0 [0058.427] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x3c) returned 0x3cb110 [0058.427] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xd6) returned 0x3cfd30 [0058.427] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x2e) returned 0x3cea70 [0058.427] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x1e) returned 0x3c7a50 [0058.427] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x2c) returned 0x3ceab0 [0058.427] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x54) returned 0x3cfe10 [0058.427] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x52) returned 0x3cfe70 [0058.427] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x2c) returned 0x3ceaf0 [0058.427] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x26) returned 0x3c7a80 [0058.427] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x3e) returned 0x3cb160 [0058.427] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x24) returned 0x3c7ab0 [0058.427] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x30) returned 0x3ceb30 [0058.427] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x8c) returned 0x3cfed0 [0058.428] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3d0360 | out: hHeap=0x3b0000) returned 1 [0058.428] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x1000) returned 0x3d0fd0 [0058.428] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0058.429] GetStartupInfoW (in: lpStartupInfo=0x2ef7c0 | out: lpStartupInfo=0x2ef7c0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0058.429] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"1\"" [0058.429] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"1\"", pNumArgs=0x2ef790 | out: pNumArgs=0x2ef790) returned 0x3d03f0*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0058.429] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0058.437] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x1000) returned 0x3d40c0 [0058.597] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x16) returned 0x3d0e10 [0058.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="MMlFUh3Tzt", cchWideChar=-1, lpMultiByteStr=0x3d0e10, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MMlFUh3Tzt", lpUsedDefaultChar=0x0) returned 11 [0058.597] GetLastError () returned 0x0 [0058.597] SetLastError (dwErrCode=0x0) [0058.598] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3TztW") returned 0x0 [0058.598] GetLastError () returned 0x7f [0058.598] SetLastError (dwErrCode=0x7f) [0058.598] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3TztA") returned 0x0 [0058.598] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3Tzt") returned 0x7fef2eb0cf0 [0058.598] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x4) returned 0x3d0e30 [0058.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=-1, lpMultiByteStr=0x3d0e30, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1", lpUsedDefaultChar=0x0) returned 2 [0058.598] GetActiveWindow () returned 0x0 [0059.065] GetLastError () returned 0x7f [0059.065] SetLastError (dwErrCode=0x7f) Process: id = "17" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x4357d000" os_pid = "0xdf0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"Install\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1046 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1047 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1048 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1049 start_va = 0xf0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1050 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1051 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1052 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1053 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 1054 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1055 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1056 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 1057 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1058 start_va = 0x1f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1059 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1060 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1061 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1062 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1063 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1064 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1065 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1066 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1067 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1068 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1069 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1070 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1071 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1072 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1073 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1074 start_va = 0x1f0000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1075 start_va = 0x300000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 1076 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1107 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1108 start_va = 0x500000 end_va = 0x687fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 1109 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1110 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1111 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1112 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1113 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1114 start_va = 0x690000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 1115 start_va = 0x820000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 1122 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1123 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 1124 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1714 start_va = 0x1f0000 end_va = 0x26dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1715 start_va = 0x2c0000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 2089 start_va = 0x1c20000 end_va = 0x1d77fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c20000" filename = "" Region: id = 2223 start_va = 0x1d80000 end_va = 0x1ee0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d80000" filename = "" Region: id = 2244 start_va = 0x7fefd2c0000 end_va = 0x7fefd42cfff monitored = 0 entry_point = 0x7fefd2c10b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2245 start_va = 0x7fefd270000 end_va = 0x7fefd27efff monitored = 0 entry_point = 0x7fefd271020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2246 start_va = 0x7fefd060000 end_va = 0x7fefd06afff monitored = 0 entry_point = 0x7fefd061030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2247 start_va = 0x7fefd090000 end_va = 0x7fefd0b4fff monitored = 0 entry_point = 0x7fefd099658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2248 start_va = 0x7feff060000 end_va = 0x7feff13afff monitored = 0 entry_point = 0x7feff080760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2249 start_va = 0x7feff1e0000 end_va = 0x7feff1fefff monitored = 0 entry_point = 0x7feff1e60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2250 start_va = 0x7feff2d0000 end_va = 0x7feff3a6fff monitored = 0 entry_point = 0x7feff2d3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2251 start_va = 0x7fefabb0000 end_va = 0x7fefabc7fff monitored = 0 entry_point = 0x7fefabb1010 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2252 start_va = 0x7fefacc0000 end_va = 0x7feface6fff monitored = 0 entry_point = 0x7fefacc98bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2253 start_va = 0x7fefed70000 end_va = 0x7fefed77fff monitored = 0 entry_point = 0x7fefed71504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2254 start_va = 0x7fefacb0000 end_va = 0x7fefacbafff monitored = 0 entry_point = 0x7fefacb1198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2255 start_va = 0x7fefb550000 end_va = 0x7fefb560fff monitored = 0 entry_point = 0x7fefb551070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2256 start_va = 0x7feff280000 end_va = 0x7feff2ccfff monitored = 0 entry_point = 0x7feff281070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2257 start_va = 0x1ef0000 end_va = 0x207ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 2413 start_va = 0x2080000 end_va = 0x234efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2414 start_va = 0x2490000 end_va = 0x258ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002490000" filename = "" Region: id = 2415 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2508 start_va = 0x1ef0000 end_va = 0x1f6cfff monitored = 0 entry_point = 0x1efcec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2509 start_va = 0x2000000 end_va = 0x207ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 2510 start_va = 0x1ef0000 end_va = 0x1f6cfff monitored = 0 entry_point = 0x1efcec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2511 start_va = 0x7fefd0c0000 end_va = 0x7fefd0cefff monitored = 0 entry_point = 0x7fefd0c1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2613 start_va = 0x2350000 end_va = 0x244ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002350000" filename = "" Region: id = 2614 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2615 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2616 start_va = 0x7feff140000 end_va = 0x7feff1d8fff monitored = 0 entry_point = 0x7feff141c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2617 start_va = 0x270000 end_va = 0x270fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 2618 start_va = 0x7fef9520000 end_va = 0x7fef952dfff monitored = 0 entry_point = 0x7fef9525500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2619 start_va = 0x7fef97c0000 end_va = 0x7fef9836fff monitored = 0 entry_point = 0x7fef97fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 2620 start_va = 0x7fefcc30000 end_va = 0x7fefcc51fff monitored = 0 entry_point = 0x7fefcc35d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2621 start_va = 0x26d0000 end_va = 0x27cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026d0000" filename = "" Region: id = 2622 start_va = 0x7fefcac0000 end_va = 0x7fefcad7fff monitored = 0 entry_point = 0x7fefcac3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2623 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2624 start_va = 0x1ef0000 end_va = 0x1f34fff monitored = 0 entry_point = 0x1ef1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2658 start_va = 0x1ef0000 end_va = 0x1f34fff monitored = 0 entry_point = 0x1ef1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2659 start_va = 0x1ef0000 end_va = 0x1f34fff monitored = 0 entry_point = 0x1ef1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2660 start_va = 0x1ef0000 end_va = 0x1f34fff monitored = 0 entry_point = 0x1ef1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2661 start_va = 0x1ef0000 end_va = 0x1f34fff monitored = 0 entry_point = 0x1ef1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2662 start_va = 0x7fefc7c0000 end_va = 0x7fefc806fff monitored = 0 entry_point = 0x7fefc7c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2663 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c3fff monitored = 0 entry_point = 0x7fefd1b10e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2679 start_va = 0x25d0000 end_va = 0x26cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 2680 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2681 start_va = 0x2890000 end_va = 0x298ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 2682 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2686 start_va = 0x7fef9240000 end_va = 0x7fef9252fff monitored = 0 entry_point = 0x7fef9241d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2689 start_va = 0x7fef9560000 end_va = 0x7fef9632fff monitored = 0 entry_point = 0x7fef95d8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2690 start_va = 0x7fef9530000 end_va = 0x7fef9556fff monitored = 0 entry_point = 0x7fef95311a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 2691 start_va = 0x280000 end_va = 0x282fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Thread: id = 36 os_tid = 0xdf4 [0060.117] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ef7f8 | out: lpSystemTimeAsFileTime=0x1ef7f8*(dwLowDateTime=0x1e0d83a0, dwHighDateTime=0x1d937fd)) [0060.117] GetCurrentThreadId () returned 0xdf4 [0060.117] GetCurrentProcessId () returned 0xdf0 [0060.117] QueryPerformanceCounter (in: lpPerformanceCount=0x1ef800 | out: lpPerformanceCount=0x1ef800*=3318463392037) returned 1 [0060.117] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0060.119] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0060.119] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0060.120] GetLastError () returned 0x7e [0060.120] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0060.120] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0060.120] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0060.121] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0060.121] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0060.121] GetProcessHeap () returned 0x300000 [0060.121] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0060.121] GetLastError () returned 0x7e [0060.121] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0060.121] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0060.122] GetLastError () returned 0x7e [0060.122] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0060.122] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0060.122] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c8) returned 0x31cfb0 [0060.122] SetLastError (dwErrCode=0x7e) [0060.122] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1200) returned 0x31d380 [0060.124] GetStartupInfoW (in: lpStartupInfo=0x1ef6d0 | out: lpStartupInfo=0x1ef6d0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x1ef758, hStdError=0x1)) [0060.124] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0060.124] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0060.124] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0060.124] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"Install\"" [0060.124] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"Install\"" [0060.124] GetACP () returned 0x4e4 [0060.125] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x228) returned 0x31ab90 [0060.125] IsValidCodePage (CodePage=0x4e4) returned 1 [0060.125] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1ef690 | out: lpCPInfo=0x1ef690) returned 1 [0060.125] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1eef30 | out: lpCPInfo=0x1eef30) returned 1 [0060.125] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1eef50, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0060.125] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1eef50, cbMultiByte=256, lpWideCharStr=0x1eec80, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0060.125] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x1ef250 | out: lpCharType=0x1ef250) returned 1 [0060.125] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1eef50, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0060.125] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1eef50, cbMultiByte=256, lpWideCharStr=0x1eec20, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0060.125] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0060.125] GetLastError () returned 0x7e [0060.125] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0060.125] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0060.126] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1eea10, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0060.126] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x1ef050, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«1", lpUsedDefaultChar=0x0) returned 256 [0060.126] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1eef50, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0060.126] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1eef50, cbMultiByte=256, lpWideCharStr=0x1eec20, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0060.126] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0060.126] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1eea10, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0060.126] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x1ef150, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0060.126] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x100) returned 0x31f590 [0060.126] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0060.126] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x18e) returned 0x31f6a0 [0060.126] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0060.126] GetLastError () returned 0x0 [0060.126] SetLastError (dwErrCode=0x0) [0060.126] GetEnvironmentStringsW () returned 0x31f840* [0060.126] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xb32) returned 0x320380 [0060.126] FreeEnvironmentStringsW (penv=0x31f840) returned 1 [0060.126] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x128) returned 0x31f840 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3e) returned 0x31afe0 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x56) returned 0x31adc0 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x62) returned 0x320ec0 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x78) returned 0x320f30 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x62) returned 0x31f970 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x31e900 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x48) returned 0x31b030 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x28) returned 0x3179a0 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1a) returned 0x3179d0 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x34) returned 0x31e940 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x5c) returned 0x31f9e0 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x32) returned 0x31e980 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2e) returned 0x31e9c0 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1c) returned 0x317a00 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x19c) returned 0x31fa50 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x7c) returned 0x31fc00 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3a) returned 0x31b080 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x90) returned 0x31fc90 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x24) returned 0x317a30 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x31ea00 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x36) returned 0x31ea40 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c) returned 0x31b0d0 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x52) returned 0x31fd30 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c) returned 0x31b120 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xd6) returned 0x31fd90 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2e) returned 0x31ea80 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1e) returned 0x317a60 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2c) returned 0x31eac0 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x54) returned 0x31fe70 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x52) returned 0x31fed0 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2c) returned 0x31eb00 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x26) returned 0x317a90 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3e) returned 0x31b170 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x24) returned 0x317ac0 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x31eb40 [0060.127] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x8c) returned 0x31ff30 [0060.128] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x320380 | out: hHeap=0x300000) returned 1 [0060.128] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1000) returned 0x320fb0 [0060.128] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0060.128] GetStartupInfoW (in: lpStartupInfo=0x1ef760 | out: lpStartupInfo=0x1ef760*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0060.128] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"Install\"" [0060.129] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"Install\"", pNumArgs=0x1ef730 | out: pNumArgs=0x1ef730) returned 0x320450*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0060.129] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0060.133] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x1000) returned 0x3240a0 [0060.134] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x16) returned 0x320e80 [0060.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Cpurthnvlc", cchWideChar=-1, lpMultiByteStr=0x320e80, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Cpurthnvlc", lpUsedDefaultChar=0x0) returned 11 [0060.134] GetLastError () returned 0x0 [0060.134] SetLastError (dwErrCode=0x0) [0060.134] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="CpurthnvlcW") returned 0x0 [0060.134] GetLastError () returned 0x7f [0060.134] SetLastError (dwErrCode=0x7f) [0060.134] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="CpurthnvlcA") returned 0x0 [0060.134] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="Cpurthnvlc") returned 0x7fef2ea5970 [0060.134] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x320ea0 [0060.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Install", cchWideChar=-1, lpMultiByteStr=0x320ea0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Install", lpUsedDefaultChar=0x0) returned 8 [0060.135] GetActiveWindow () returned 0x0 [0090.652] VirtualAlloc (lpAddress=0x0, dwSize=0x7e000, flAllocationType=0x3000, flProtect=0x40) returned 0x1f0000 [0091.306] GetProcAddress (hModule=0x77160000, lpProcName="ExitProcess") returned 0x772a40f0 [0091.307] GetProcAddress (hModule=0x77160000, lpProcName="LoadLibraryW") returned 0x77176420 [0091.307] LoadLibraryW (lpLibFileName="ntdll.dll") returned 0x77280000 [0091.307] GetProcAddress (hModule=0x77280000, lpProcName="NtMapViewOfSection") returned 0x772d1590 [0091.307] GetProcAddress (hModule=0x77280000, lpProcName="NtOpenFile") returned 0x772d1640 [0091.307] GetProcAddress (hModule=0x77280000, lpProcName="NtOpenSection") returned 0x772d1680 [0091.307] GetProcAddress (hModule=0x77280000, lpProcName="NtCreateSection") returned 0x772d17b0 [0091.307] GetProcAddress (hModule=0x77160000, lpProcName="VirtualProtect") returned 0x771629f0 [0091.308] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentThreadId") returned 0x77173380 [0091.308] GetProcAddress (hModule=0x77160000, lpProcName="GetModuleFileNameA") returned 0x77175940 [0091.309] GetProcAddress (hModule=0x77160000, lpProcName="VirtualAlloc") returned 0x77175c40 [0091.310] GetProcAddress (hModule=0x77160000, lpProcName="GetProcessHeap") returned 0x77181a30 [0091.310] GetProcAddress (hModule=0x77160000, lpProcName="HeapAlloc") returned 0x772d33a0 [0091.310] GetProcAddress (hModule=0x77160000, lpProcName="HeapFree") returned 0x77181a50 [0091.310] GetModuleFileNameA (in: hModule=0x7fef2ea0000, lpFilename=0x1ef430, nSize=0x104 | out: lpFilename="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll")) returned 0x62 [0091.310] VirtualAlloc (lpAddress=0x0, dwSize=0x158000, flAllocationType=0x3000, flProtect=0x4) returned 0x1c20000 [0091.537] GetProcessHeap () returned 0x300000 [0091.537] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x3f80) returned 0x3250b0 [0092.389] GetProcessHeap () returned 0x300000 [0092.390] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3250b0 | out: hHeap=0x300000) returned 1 [0092.390] GetCurrentThreadId () returned 0xdf4 [0092.390] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ef2f4 | out: lpflOldProtect=0x1ef2f4*=0x20) returned 1 [0092.390] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ef2f4 | out: lpflOldProtect=0x1ef2f4*=0x40) returned 1 [0092.391] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ef2f4 | out: lpflOldProtect=0x1ef2f4*=0x20) returned 1 [0092.391] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ef2f4 | out: lpflOldProtect=0x1ef2f4*=0x40) returned 1 [0092.391] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ef2f4 | out: lpflOldProtect=0x1ef2f4*=0x20) returned 1 [0092.391] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ef2f4 | out: lpflOldProtect=0x1ef2f4*=0x40) returned 1 [0092.391] LoadLibraryW (lpLibFileName="gdiplus.dll") returned 0x1d80000 [0092.392] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ee164 | out: lpflOldProtect=0x1ee164*=0x20) returned 1 [0092.392] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ee164 | out: lpflOldProtect=0x1ee164*=0x40) returned 1 [0092.392] NtOpenFile (in: FileHandle=0x1ee248, DesiredAccess=0x100020, ObjectAttributes=0x1ee298*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1ee2c8, ShareAccess=0x3, OpenOptions=0x21 | out: FileHandle=0x1ee248*=0x70, IoStatusBlock=0x1ee2c8*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0093.280] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ee164 | out: lpflOldProtect=0x1ee164*=0x20) returned 1 [0093.281] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ee164 | out: lpflOldProtect=0x1ee164*=0x40) returned 1 [0093.281] GetCurrentThreadId () returned 0xdf4 [0093.281] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1eee34 | out: lpflOldProtect=0x1eee34*=0x20) returned 1 [0093.282] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1eee34 | out: lpflOldProtect=0x1eee34*=0x40) returned 1 [0093.282] NtOpenFile (in: FileHandle=0x1eef00, DesiredAccess=0x100021, ObjectAttributes=0x1eefb8*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1eefe8, ShareAccess=0x5, OpenOptions=0x60 | out: FileHandle=0x1eef00*=0x74, IoStatusBlock=0x1eefe8*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0093.282] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1eee24 | out: lpflOldProtect=0x1eee24*=0x20) returned 1 [0093.283] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1eee24 | out: lpflOldProtect=0x1eee24*=0x40) returned 1 [0093.283] GetCurrentThreadId () returned 0xdf4 [0093.283] NtCreateSection (in: SectionHandle=0x1eef08, DesiredAccess=0xf, ObjectAttributes=0x0, MaximumSize=0x0, SectionPageProtection=0x10, AllocationAttributes=0x1000000, FileHandle=0x74 | out: SectionHandle=0x1eef08*=0x78) returned 0x0 [0093.284] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1eecb4 | out: lpflOldProtect=0x1eecb4*=0x20) returned 1 [0093.284] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1eecb4 | out: lpflOldProtect=0x1eecb4*=0x40) returned 1 [0093.284] GetCurrentThreadId () returned 0xdf4 [0093.284] NtCreateSection (in: SectionHandle=0x1eed98, DesiredAccess=0xe, ObjectAttributes=0x0, MaximumSize=0x1eed90, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x1eed98*=0x7c) returned 0x0 [0093.284] NtMapViewOfSection (in: SectionHandle=0x7c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1eed38*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x1eef58*=0x0, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x1eed38*=0x1d80000, SectionOffset=0x0, ViewSize=0x1eef58*=0x161000) returned 0x0 [0094.083] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1eee38 | out: lpSystemTimeAsFileTime=0x1eee38*(dwLowDateTime=0x2e3acf80, dwHighDateTime=0x1d937fd)) [0094.083] GetCurrentThreadId () returned 0xdf4 [0094.083] GetCurrentProcessId () returned 0xdf0 [0094.083] QueryPerformanceCounter (in: lpPerformanceCount=0x1eee40 | out: lpPerformanceCount=0x1eee40*=3322836649331) returned 1 [0094.624] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0094.624] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0094.624] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0094.625] GetLastError () returned 0x7e [0094.625] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0094.626] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0094.878] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0095.328] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0095.329] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0095.342] GetProcessHeap () returned 0x300000 [0095.550] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0095.550] GetLastError () returned 0x7e [0095.550] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0095.550] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0095.551] GetLastError () returned 0x7e [0095.551] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0095.572] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c8) returned 0x331a80 [0095.572] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0095.833] SetLastError (dwErrCode=0x7e) [0095.851] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1000) returned 0x331e50 [0095.854] GetStartupInfoW (in: lpStartupInfo=0x1eecc0 | out: lpStartupInfo=0x1eecc0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x1)) [0095.854] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0095.854] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0095.854] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0096.142] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"Install\"" [0096.143] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"Install\"" [0096.162] GetLastError () returned 0x7e [0096.162] SetLastError (dwErrCode=0x7e) [0096.162] GetLastError () returned 0x7e [0096.162] SetLastError (dwErrCode=0x7e) [0096.162] GetACP () returned 0x4e4 [0096.162] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x228) returned 0x333e60 [0096.163] IsValidCodePage (CodePage=0x4e4) returned 1 [0096.163] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1eec90 | out: lpCPInfo=0x1eec90) returned 1 [0096.315] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1ee530 | out: lpCPInfo=0x1ee530) returned 1 [0096.315] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ee550, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0096.315] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ee550, cbMultiByte=256, lpWideCharStr=0x1ee280, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ0") returned 256 [0096.315] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ0", cchSrc=256, lpCharType=0x1ee850 | out: lpCharType=0x1ee850) returned 1 [0096.341] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ee550, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0096.341] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ee550, cbMultiByte=256, lpWideCharStr=0x1ee220, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0096.341] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0096.341] GetLastError () returned 0x7e [0096.342] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0096.342] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0096.342] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ee010, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0096.342] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x1ee650, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿX\x010", lpUsedDefaultChar=0x0) returned 256 [0096.342] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ee550, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0096.342] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ee550, cbMultiByte=256, lpWideCharStr=0x1ee220, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0096.342] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0096.342] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ee010, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0096.342] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x1ee750, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0096.521] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x100) returned 0x334090 [0096.521] RtlInitializeSListHead (in: ListHead=0x1ec8410 | out: ListHead=0x1ec8410) [0096.709] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77160000 [0096.710] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0096.710] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0096.710] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0096.710] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0096.710] GetProcAddress (hModule=0x77160000, lpProcName="InitializeCriticalSectionEx") returned 0x77176e50 [0096.710] GetProcAddress (hModule=0x77160000, lpProcName="InitOnceExecuteOnce") returned 0x77165d60 [0096.710] GetProcAddress (hModule=0x77160000, lpProcName="CreateEventExW") returned 0x771ac970 [0096.710] GetProcAddress (hModule=0x77160000, lpProcName="CreateSemaphoreW") returned 0x77168e00 [0096.710] GetProcAddress (hModule=0x77160000, lpProcName="CreateSemaphoreExW") returned 0x771ac8a0 [0096.711] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolTimer") returned 0x77167e90 [0096.711] GetProcAddress (hModule=0x77160000, lpProcName="SetThreadpoolTimer") returned 0x7729b2f0 [0096.711] GetProcAddress (hModule=0x77160000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x7728d8c0 [0096.711] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolTimer") returned 0x7728d620 [0096.711] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolWait") returned 0x771abe60 [0096.711] GetProcAddress (hModule=0x77160000, lpProcName="SetThreadpoolWait") returned 0x7729e170 [0096.711] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolWait") returned 0x7728c540 [0096.711] GetProcAddress (hModule=0x77160000, lpProcName="FlushProcessWriteBuffers") returned 0x772d1f80 [0096.712] GetProcAddress (hModule=0x77160000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x7734ec60 [0096.712] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentProcessorNumber") returned 0x772d0040 [0096.712] GetProcAddress (hModule=0x77160000, lpProcName="CreateSymbolicLinkW") returned 0x771d5af0 [0096.712] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentPackageId") returned 0x0 [0096.712] GetProcAddress (hModule=0x77160000, lpProcName="GetTickCount64") returned 0x77168ac0 [0096.712] GetProcAddress (hModule=0x77160000, lpProcName="GetFileInformationByHandleEx") returned 0x771712f0 [0096.712] GetProcAddress (hModule=0x77160000, lpProcName="SetFileInformationByHandle") returned 0x771ac120 [0096.712] GetProcAddress (hModule=0x77160000, lpProcName="GetSystemTimePreciseAsFileTime") returned 0x0 [0096.712] GetProcAddress (hModule=0x77160000, lpProcName="InitializeConditionVariable") returned 0x772b84f0 [0096.713] GetProcAddress (hModule=0x77160000, lpProcName="WakeConditionVariable") returned 0x7733bab0 [0096.713] GetProcAddress (hModule=0x77160000, lpProcName="WakeAllConditionVariable") returned 0x772a00b0 [0096.713] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableCS") returned 0x771ab610 [0096.713] GetProcAddress (hModule=0x77160000, lpProcName="InitializeSRWLock") returned 0x772b84f0 [0096.713] GetProcAddress (hModule=0x77160000, lpProcName="AcquireSRWLockExclusive") returned 0x772a8020 [0096.713] GetProcAddress (hModule=0x77160000, lpProcName="TryAcquireSRWLockExclusive") returned 0x7732bdd0 [0096.713] GetProcAddress (hModule=0x77160000, lpProcName="ReleaseSRWLockExclusive") returned 0x772a8050 [0096.713] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableSRW") returned 0x771ab5c0 [0096.713] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolWork") returned 0x77165d30 [0096.714] GetProcAddress (hModule=0x77160000, lpProcName="SubmitThreadpoolWork") returned 0x77292330 [0096.714] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolWork") returned 0x772921f0 [0096.714] GetProcAddress (hModule=0x77160000, lpProcName="CompareStringEx") returned 0x771abd60 [0096.714] GetProcAddress (hModule=0x77160000, lpProcName="GetLocaleInfoEx") returned 0x771635e0 [0096.714] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0096.923] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77160000 [0096.923] GetProcAddress (hModule=0x77160000, lpProcName="InitializeConditionVariable") returned 0x772b84f0 [0096.923] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableCS") returned 0x771ab610 [0096.923] GetProcAddress (hModule=0x77160000, lpProcName="WakeAllConditionVariable") returned 0x772a00b0 [0096.923] RtlInitializeConditionVariable () returned 0x772a00b0 [0096.936] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1000) returned 0x3341a0 [0096.949] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x1ec8fb0, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0096.949] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xdb) returned 0x322ee0 [0096.949] GetEnvironmentStringsW () returned 0x3351b0* [0096.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1433, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1433 [0096.949] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x599) returned 0x335cf0 [0096.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1433, lpMultiByteStr=0x335cf0, cbMultiByte=1433, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1433 [0096.949] FreeEnvironmentStringsW (penv=0x3351b0) returned 1 [0096.949] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x128) returned 0x3351b0 [0096.949] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1f) returned 0x325c50 [0096.949] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2b) returned 0x333750 [0096.949] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x31) returned 0x333790 [0096.949] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c) returned 0x3300c0 [0096.949] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x31) returned 0x3337d0 [0096.949] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x18) returned 0x3352e0 [0096.949] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x24) returned 0x325c80 [0096.949] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x14) returned 0x335300 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xd) returned 0x335320 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1a) returned 0x325cb0 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2e) returned 0x333810 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x19) returned 0x325ce0 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x17) returned 0x335340 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xe) returned 0x335360 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xce) returned 0x335380 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3e) returned 0x330110 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1d) returned 0x325d10 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x48) returned 0x330160 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x12) returned 0x335460 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x18) returned 0x335480 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1b) returned 0x325d40 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1e) returned 0x325d70 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x29) returned 0x333850 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1e) returned 0x325da0 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x6b) returned 0x32bdc0 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x17) returned 0x3354a0 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xf) returned 0x3354c0 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x16) returned 0x3354e0 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2a) returned 0x333890 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x29) returned 0x3338d0 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x16) returned 0x3362d0 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x13) returned 0x3362f0 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1f) returned 0x325dd0 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x12) returned 0x336310 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x18) returned 0x336330 [0096.950] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x46) returned 0x3301b0 [0096.951] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335cf0 | out: hHeap=0x300000) returned 1 [0097.120] GetCurrentThread () returned 0xfffffffffffffffe [0097.120] GetThreadTimes (in: hThread=0xfffffffffffffffe, lpCreationTime=0x1eed78, lpExitTime=0x1eed70, lpKernelTime=0x1eed70, lpUserTime=0x1eed70 | out: lpCreationTime=0x1eed78, lpExitTime=0x1eed70, lpKernelTime=0x1eed70, lpUserTime=0x1eed70) returned 1 [0097.120] RtlInitializeSListHead (in: ListHead=0x1ec8aa0 | out: ListHead=0x1ec8aa0) [0097.263] RtlPcToFileHeader (in: PcValue=0x1eafef8, BaseOfImage=0x1eeca0 | out: BaseOfImage=0x1eeca0*=0x1d80000) returned 0x1d80000 [0097.501] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x50) returned 0x336aa0 [0097.501] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x98 [0097.502] RtlWakeAllConditionVariable () returned 0x772a00b0 [0097.711] RtlWakeAllConditionVariable () returned 0x772a00b0 [0097.711] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x1eebf0 | out: lpWSAData=0x1eebf0) returned 0 [0098.044] RtlWakeAllConditionVariable () returned 0x772a00b0 [0098.044] RtlWakeAllConditionVariable () returned 0x772a00b0 [0098.064] RtlSizeHeap (HeapHandle=0x300000, Flags=0x0, MemoryPointer=0x334090) returned 0x100 [0098.064] RtlReAllocateHeap (Heap=0x300000, Flags=0x0, Ptr=0x334090, Size=0x200) returned 0x335500 [0098.291] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77280000 [0098.291] GetProcAddress (hModule=0x77280000, lpProcName="NtCreateThreadEx") returned 0x772d1d90 [0098.291] GetProcAddress (hModule=0x77280000, lpProcName="RtlNewSecurityObjectWithMultipleInheritance") returned 0x77364540 [0098.291] GetCurrentProcess () returned 0xffffffffffffffff [0098.291] NtCreateThreadEx (in: ThreadHandle=0x1ec9890, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffffffffffff, lpStartAddress=0x77364540, lpParameter=0x0, CreateSuspended=1, StackZeroBits=0x0, SizeOfStackCommit=0x0, SizeOfStackReserve=0x0, lpBytesBuffer=0x0 | out: ThreadHandle=0x1ec9890*=0xb0, lpBytesBuffer=0x0) returned 0x0 [0098.292] GetThreadContext (in: hThread=0xb0, lpContext=0x1ee920 | out: lpContext=0x1ee920*(P1Home=0x336ea0, P2Home=0x30, P3Home=0x10, P4Home=0x7fefd4d30f5, P5Home=0x21, P6Home=0x0, ContextFlags=0x10000b, MxCsr=0x1f80, SegCs=0x33, SegDs=0x33, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x200, Dr0=0x0, Dr1=0x334090, Dr2=0x772d3488, Dr3=0x300230, Dr6=0x300388, Dr7=0xe00fa0001, Rax=0x0, Rcx=0x77364540, Rdx=0x0, Rbx=0x0, Rsp=0x258fe18, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x772ac500, FltSave.ControlWord=0x27f, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x1f80, FltSave.MxCsr_Mask=0xffff, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x27f, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0x334090, VectorRegister.High=0x334090, VectorControl=0x0, DebugControl=0x1e07129, LastBranchToRip=0x0, LastBranchFromRip=0x1ef2d8, LastExceptionToRip=0x0, LastExceptionFromRip=0x1)) returned 1 [0098.434] SetThreadContext (hThread=0xb0, lpContext=0x1ee920*(P1Home=0x336ea0, P2Home=0x30, P3Home=0x10, P4Home=0x7fefd4d30f5, P5Home=0x21, P6Home=0x0, ContextFlags=0x10000b, MxCsr=0x1f80, SegCs=0x33, SegDs=0x33, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x200, Dr0=0x0, Dr1=0x334090, Dr2=0x772d3488, Dr3=0x300230, Dr6=0x300388, Dr7=0xe00fa0001, Rax=0x0, Rcx=0x1d9365c, Rdx=0x0, Rbx=0x0, Rsp=0x258fe18, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x772ac500, FltSave.ControlWord=0x27f, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x1f80, FltSave.MxCsr_Mask=0xffff, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x27f, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0x334090, VectorRegister.High=0x334090, VectorControl=0x0, DebugControl=0x1e07129, LastBranchToRip=0x0, LastBranchFromRip=0x1ef2d8, LastExceptionToRip=0x0, LastExceptionFromRip=0x1)) returned 1 [0098.434] ResumeThread (hThread=0xb0) returned 0x1 [0098.703] GetProcAddress (hModule=0x1d80000, lpProcName="setPath") returned 0x1d94604 [0098.704] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x70) returned 0x32bec0 [0098.704] SetEvent (hEvent=0x98) returned 1 [0098.704] WaitForSingleObject (hHandle=0xb0, dwMilliseconds=0xffffffff) returned 0x0 [0116.202] RtlExitUserProcess (ExitCode=0x0) [0116.207] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x31cfb0 | out: hHeap=0x300000) returned 1 [0116.208] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x331a80 | out: hHeap=0x300000) returned 1 [0117.031] WSACleanup () returned 0 [0117.890] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32bec0 | out: hHeap=0x300000) returned 1 [0117.892] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336aa0 | out: hHeap=0x300000) returned 1 [0118.284] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339660 | out: hHeap=0x300000) returned 1 [0118.474] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3383d0 | out: hHeap=0x300000) returned 1 [0118.474] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336370 | out: hHeap=0x300000) returned 1 [0118.475] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x334090 | out: hHeap=0x300000) returned 1 [0118.475] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x333e10 | out: hHeap=0x300000) returned 1 [0118.495] RtlInterlockedFlushSList (in: ListHead=0x1ec8410 | out: ListHead=0x1ec8410) returned 0x0 [0118.496] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335500 | out: hHeap=0x300000) returned 1 [0119.290] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3341a0 | out: hHeap=0x300000) returned 1 [0119.290] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0119.291] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x350cc0 | out: hHeap=0x300000) returned 1 [0119.292] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x362f40 | out: hHeap=0x300000) returned 1 [0119.292] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3340b0 | out: hHeap=0x300000) returned 1 [0119.293] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3393a0 | out: hHeap=0x300000) returned 1 [0119.293] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x366ba0 | out: hHeap=0x300000) returned 1 [0119.441] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0119.442] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32bfc0 | out: hHeap=0x300000) returned 1 [0119.443] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32c040 | out: hHeap=0x300000) returned 1 [0119.444] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32c0c0 | out: hHeap=0x300000) returned 1 [0119.664] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325c50 | out: hHeap=0x300000) returned 1 [0119.665] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x333750 | out: hHeap=0x300000) returned 1 [0119.665] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x333790 | out: hHeap=0x300000) returned 1 [0119.665] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3300c0 | out: hHeap=0x300000) returned 1 [0119.666] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3337d0 | out: hHeap=0x300000) returned 1 [0119.666] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3352e0 | out: hHeap=0x300000) returned 1 [0119.666] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325c80 | out: hHeap=0x300000) returned 1 [0119.666] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335300 | out: hHeap=0x300000) returned 1 [0119.666] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335320 | out: hHeap=0x300000) returned 1 [0119.666] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325cb0 | out: hHeap=0x300000) returned 1 [0119.667] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x333810 | out: hHeap=0x300000) returned 1 [0119.667] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325ce0 | out: hHeap=0x300000) returned 1 [0119.667] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335340 | out: hHeap=0x300000) returned 1 [0119.667] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335360 | out: hHeap=0x300000) returned 1 [0119.667] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335380 | out: hHeap=0x300000) returned 1 [0119.667] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330110 | out: hHeap=0x300000) returned 1 [0119.667] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325d10 | out: hHeap=0x300000) returned 1 [0119.668] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330160 | out: hHeap=0x300000) returned 1 [0119.668] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335460 | out: hHeap=0x300000) returned 1 [0119.668] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335480 | out: hHeap=0x300000) returned 1 [0119.668] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325d40 | out: hHeap=0x300000) returned 1 [0119.668] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325d70 | out: hHeap=0x300000) returned 1 [0119.669] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x333850 | out: hHeap=0x300000) returned 1 [0119.669] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325da0 | out: hHeap=0x300000) returned 1 [0119.670] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32bdc0 | out: hHeap=0x300000) returned 1 [0119.670] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3354a0 | out: hHeap=0x300000) returned 1 [0119.670] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3354c0 | out: hHeap=0x300000) returned 1 [0119.670] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3354e0 | out: hHeap=0x300000) returned 1 [0119.670] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x333890 | out: hHeap=0x300000) returned 1 [0119.671] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3338d0 | out: hHeap=0x300000) returned 1 [0119.671] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3362d0 | out: hHeap=0x300000) returned 1 [0119.671] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3362f0 | out: hHeap=0x300000) returned 1 [0119.671] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325dd0 | out: hHeap=0x300000) returned 1 [0119.671] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336310 | out: hHeap=0x300000) returned 1 [0119.671] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336330 | out: hHeap=0x300000) returned 1 [0119.672] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3301b0 | out: hHeap=0x300000) returned 1 [0119.673] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3351b0 | out: hHeap=0x300000) returned 1 [0119.673] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x333e60 | out: hHeap=0x300000) returned 1 [0119.674] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x322ee0 | out: hHeap=0x300000) returned 1 [0119.707] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x331e50 | out: hHeap=0x300000) returned 1 [0119.707] FreeLibrary (hLibModule=0x7fefa010000) returned 1 [0119.707] FreeLibrary (hLibModule=0x77160000) returned 1 [0119.965] FreeLibrary (hLibModule=0x7fefa010000) returned 1 [0119.965] FreeLibrary (hLibModule=0x77160000) returned 1 Thread: id = 142 os_tid = 0xbe0 [0098.472] GetLastError () returned 0x57 [0098.472] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0098.472] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x78) returned 0x32be40 [0098.472] SetLastError (dwErrCode=0x57) [0098.472] GetLastError () returned 0x57 [0098.472] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c8) returned 0x335b30 [0098.473] SetLastError (dwErrCode=0x57) [0098.704] LoadLibraryExW (lpLibFileName="api-ms-win-core-sysinfo-l1-2-1", hFile=0x0, dwFlags=0x800) [0098.704] LoadLibraryExW (lpLibFileName="api-ms-win-core-sysinfo-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0098.709] GetLastError () returned 0x7e [0098.709] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x258f8a0 | out: lpSystemTimeAsFileTime=0x258f8a0*(dwLowDateTime=0x3060ad20, dwHighDateTime=0x1d937fd)) [0098.709] GetLastError () returned 0x7e [0098.709] SetLastError (dwErrCode=0x7e) [0098.709] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0098.709] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x70) returned 0x32bf40 [0098.897] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x260) returned 0x335f00 [0099.271] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0099.271] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x38) returned 0x333e10 [0099.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x2) returned 0x334090 [0099.448] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x334090 | out: hHeap=0x300000) returned 1 [0099.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x2) returned 0x334090 [0099.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x3383d0 [0099.467] GetLastError () returned 0x7e [0099.467] SetLastError (dwErrCode=0x7e) [0099.467] GetLastError () returned 0x7e [0099.467] SetLastError (dwErrCode=0x7e) [0099.641] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x158) returned 0x3393a0 [0099.641] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x6a6) returned 0x339500 [0099.642] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339500 | out: hHeap=0x300000) returned 1 [0099.642] GetLastError () returned 0x7e [0099.642] SetLastError (dwErrCode=0x7e) [0099.642] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x6) returned 0x3340b0 [0099.642] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x2) returned 0x3340d0 [0099.891] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x4) returned 0x3340f0 [0099.892] GetLastError () returned 0x7e [0099.892] SetLastError (dwErrCode=0x7e) [0099.892] GetLastError () returned 0x7e [0099.892] SetLastError (dwErrCode=0x7e) [0099.892] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x158) returned 0x339500 [0099.892] GetLastError () returned 0x7e [0099.892] SetLastError (dwErrCode=0x7e) [0099.892] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x6a6) returned 0x339660 [0099.893] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339660 | out: hHeap=0x300000) returned 1 [0099.893] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3340b0 | out: hHeap=0x300000) returned 1 [0099.893] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3393a0 | out: hHeap=0x300000) returned 1 [0099.894] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3340f0 | out: hHeap=0x300000) returned 1 [0099.894] GetLastError () returned 0x7e [0099.894] SetLastError (dwErrCode=0x7e) [0099.894] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x6) returned 0x3340b0 [0099.894] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x2) returned 0x3340f0 [0099.894] GetLastError () returned 0x7e [0099.894] SetLastError (dwErrCode=0x7e) [0099.894] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x200) returned 0x339660 [0099.894] GetLastError () returned 0x7e [0099.894] SetLastError (dwErrCode=0x7e) [0099.894] GetLastError () returned 0x7e [0099.894] SetLastError (dwErrCode=0x7e) [0099.894] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x4) returned 0x334110 [0099.894] GetLastError () returned 0x7e [0099.895] SetLastError (dwErrCode=0x7e) [0099.895] GetLastError () returned 0x7e [0099.895] SetLastError (dwErrCode=0x7e) [0099.895] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x158) returned 0x3393a0 [0099.895] GetLastError () returned 0x7e [0099.895] SetLastError (dwErrCode=0x7e) [0099.895] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x6a6) returned 0x339870 [0099.896] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339870 | out: hHeap=0x300000) returned 1 [0099.896] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3340b0 | out: hHeap=0x300000) returned 1 [0099.896] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339500 | out: hHeap=0x300000) returned 1 [0099.896] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x334110 | out: hHeap=0x300000) returned 1 [0099.896] GetLastError () returned 0x7e [0099.896] SetLastError (dwErrCode=0x7e) [0099.896] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x6) returned 0x3340b0 [0099.896] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3340f0 | out: hHeap=0x300000) returned 1 [0099.896] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3340d0 | out: hHeap=0x300000) returned 1 [0099.896] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336370 [0099.897] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0099.897] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x25a) returned 0x339870 [0100.085] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0100.105] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e90 [0100.105] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325ec0 [0100.105] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0100.106] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e90 | out: hHeap=0x300000) returned 1 [0100.106] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e90 [0100.106] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x60) returned 0x32d5e0 [0100.106] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0100.106] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x80) returned 0x3340d0 [0100.107] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32d5e0 | out: hHeap=0x300000) returned 1 [0100.107] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325ef0 [0100.107] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xc0) returned 0x336170 [0100.107] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3340d0 | out: hHeap=0x300000) returned 1 [0100.107] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325f20 [0100.107] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325f50 [0100.107] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x120) returned 0x339500 [0100.108] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336170 | out: hHeap=0x300000) returned 1 [0100.108] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325f80 [0100.108] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325fb0 [0100.108] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x1a0) returned 0x339ae0 [0100.108] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339500 | out: hHeap=0x300000) returned 1 [0100.108] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325fe0 [0100.108] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x326010 [0100.108] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x326040 [0100.108] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x326070 [0100.108] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x260) returned 0x339c90 [0100.109] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339ae0 | out: hHeap=0x300000) returned 1 [0100.109] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x3260a0 [0100.109] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x3260d0 [0100.109] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x326100 [0100.109] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x326130 [0100.109] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x326160 [0100.109] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x339f30 [0100.109] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x380) returned 0x33ab00 [0100.110] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339c90 | out: hHeap=0x300000) returned 1 [0100.110] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x339f60 [0100.110] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x339f90 [0100.110] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x339fc0 [0100.111] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x339ff0 [0100.111] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a020 [0100.111] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a050 [0100.111] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a080 [0100.111] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a0b0 [0100.111] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a0e0 [0100.111] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x540) returned 0x33ae90 [0100.111] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33ab00 | out: hHeap=0x300000) returned 1 [0100.111] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a110 [0100.112] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a140 [0100.112] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a170 [0100.112] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a1a0 [0100.112] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a1d0 [0100.112] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0100.113] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339870 | out: hHeap=0x300000) returned 1 [0100.113] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0100.113] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0100.113] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0100.113] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0100.113] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0100.113] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0100.113] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0100.114] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0100.114] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0100.114] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0100.114] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0100.114] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330250 [0100.114] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0100.114] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0100.114] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0100.114] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0100.114] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0100.115] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0100.115] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0100.115] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0100.115] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0100.115] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0100.115] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x80) returned 0x3340d0 [0100.115] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330250 | out: hHeap=0x300000) returned 1 [0100.116] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0100.116] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0100.116] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0100.116] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xf) returned 0x3363b0 [0100.116] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0100.116] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0100.117] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0100.117] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0100.117] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0100.117] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0100.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xc0) returned 0x336170 [0100.117] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3340d0 | out: hHeap=0x300000) returned 1 [0100.118] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0100.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0100.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0100.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3363b0 [0100.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0100.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0100.118] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0100.118] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0100.119] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0100.119] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0100.119] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x100) returned 0x339500 [0100.119] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336170 | out: hHeap=0x300000) returned 1 [0100.119] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0100.119] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0100.120] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0100.120] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x13) returned 0x3363b0 [0100.120] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0100.120] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0100.120] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0100.514] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0100.514] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0100.514] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0100.514] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x180) returned 0x33ab00 [0100.516] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339500 | out: hHeap=0x300000) returned 1 [0100.517] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0100.517] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0100.517] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0100.517] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0100.517] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0100.517] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0100.518] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0100.518] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0100.518] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0100.518] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0100.519] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0100.519] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0100.519] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0100.519] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3363b0 [0100.519] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0100.519] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0100.520] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0100.520] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0100.521] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0100.521] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0100.521] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x240) returned 0x339870 [0100.522] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33ab00 | out: hHeap=0x300000) returned 1 [0100.523] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0100.523] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0100.523] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0100.523] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xe) returned 0x3363b0 [0100.523] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0100.523] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0100.524] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0100.524] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0100.524] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0100.524] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0100.525] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0100.525] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0100.525] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0100.525] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0100.525] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0100.525] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0100.525] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0100.525] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0100.525] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0100.525] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0100.526] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0100.526] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0100.526] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0100.526] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0100.526] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0100.527] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0100.527] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0100.527] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0100.527] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0100.527] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0100.527] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x340) returned 0x33ab00 [0100.527] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339870 | out: hHeap=0x300000) returned 1 [0100.528] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0100.528] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0100.528] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0100.528] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x13) returned 0x3363b0 [0100.528] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0100.528] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0100.529] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0100.529] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0100.529] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0100.529] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0100.529] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0100.529] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0100.529] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0100.529] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0100.529] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0100.529] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0100.530] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0100.530] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0100.530] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0100.530] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0100.531] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0100.531] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0100.532] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0100.532] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x13) returned 0x3363b0 [0100.532] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0100.532] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0100.533] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0100.533] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0100.533] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0100.533] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0100.534] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0100.534] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0100.534] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0100.534] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0100.534] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0100.534] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0100.535] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0100.535] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0100.535] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0100.535] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0100.535] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x4c0) returned 0x339870 [0100.536] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33ab00 | out: hHeap=0x300000) returned 1 [0100.537] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0100.537] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0100.537] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0100.537] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0100.537] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0100.537] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0100.538] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0100.538] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0100.538] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0100.538] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0100.539] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0100.539] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0100.539] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0100.539] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0100.539] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0100.539] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0100.540] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0100.540] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0100.540] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0100.540] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0100.540] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0100.540] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0100.541] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0100.541] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3363b0 [0100.541] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0100.541] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0100.541] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0100.541] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0100.541] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0101.900] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0101.915] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0102.228] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0102.252] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0102.252] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3363b0 [0102.580] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0102.580] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0102.581] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0102.581] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0102.581] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0102.581] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0102.581] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0102.581] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0102.582] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0102.582] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0102.582] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0102.582] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0102.582] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0102.582] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0102.582] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0102.582] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0102.583] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0102.583] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0102.583] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0102.583] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0102.583] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0102.583] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0102.584] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0102.584] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0102.584] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0102.584] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0102.584] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x700) returned 0x33b3e0 [0102.585] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339870 | out: hHeap=0x300000) returned 1 [0102.585] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0102.585] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0102.585] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0102.586] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0102.586] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0102.586] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0102.586] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0102.586] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0102.586] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0102.586] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0102.587] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0102.587] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0102.587] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0102.587] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0102.587] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0102.587] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0102.587] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0102.588] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0102.588] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0102.588] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0102.588] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0102.588] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0102.588] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0102.588] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0102.589] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0102.589] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0102.589] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0102.589] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0102.589] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0102.589] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0102.590] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0102.590] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0102.590] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0102.590] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0102.590] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0102.590] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0102.590] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0102.590] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0102.591] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0102.591] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0102.591] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0102.591] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0102.591] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0102.591] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0102.592] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0102.592] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0102.592] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0102.592] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0102.592] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0102.592] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0102.593] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0102.593] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0102.593] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0102.593] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3363b0 [0102.593] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0102.593] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0102.594] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0102.594] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0102.594] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0102.594] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0102.594] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0102.594] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0102.594] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0102.595] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0102.595] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0102.595] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0102.595] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0102.595] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0102.595] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0102.595] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0102.596] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0102.596] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0102.596] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0102.596] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0102.596] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0102.596] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0102.597] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0102.597] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0102.597] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0102.597] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0102.597] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0102.597] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0102.597] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0102.597] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x13) returned 0x3363b0 [0102.598] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0102.598] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0102.598] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0102.598] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0102.598] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0102.598] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0102.598] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xa80) returned 0x33baf0 [0102.599] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33b3e0 | out: hHeap=0x300000) returned 1 [0102.600] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0102.600] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0102.600] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0102.600] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3363b0 [0102.600] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0102.600] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0102.600] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0102.601] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0102.601] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0102.994] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0102.994] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0102.994] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0102.994] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0102.994] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0102.994] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0102.995] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0102.995] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0102.995] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0102.995] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0102.995] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0102.996] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0102.996] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0102.996] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0102.996] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x13) returned 0x3363b0 [0102.996] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0102.996] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0102.997] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0102.997] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0102.997] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0102.997] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0102.997] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0102.997] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0102.997] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0102.997] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0102.997] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0102.997] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0102.998] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0102.998] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0102.998] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0102.998] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0102.999] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0102.999] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325ec0 | out: hHeap=0x300000) returned 1 [0102.999] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e90 | out: hHeap=0x300000) returned 1 [0103.000] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325ef0 | out: hHeap=0x300000) returned 1 [0103.000] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325f20 | out: hHeap=0x300000) returned 1 [0103.001] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325f50 | out: hHeap=0x300000) returned 1 [0103.001] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325f80 | out: hHeap=0x300000) returned 1 [0103.001] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325fb0 | out: hHeap=0x300000) returned 1 [0103.002] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325fe0 | out: hHeap=0x300000) returned 1 [0103.002] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326010 | out: hHeap=0x300000) returned 1 [0103.002] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326040 | out: hHeap=0x300000) returned 1 [0103.003] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326070 | out: hHeap=0x300000) returned 1 [0103.003] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3260a0 | out: hHeap=0x300000) returned 1 [0103.004] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3260d0 | out: hHeap=0x300000) returned 1 [0103.004] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326100 | out: hHeap=0x300000) returned 1 [0103.004] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326130 | out: hHeap=0x300000) returned 1 [0103.005] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326160 | out: hHeap=0x300000) returned 1 [0103.005] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339f30 | out: hHeap=0x300000) returned 1 [0103.005] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339f60 | out: hHeap=0x300000) returned 1 [0103.006] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339f90 | out: hHeap=0x300000) returned 1 [0103.006] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339fc0 | out: hHeap=0x300000) returned 1 [0103.008] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339ff0 | out: hHeap=0x300000) returned 1 [0103.008] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a020 | out: hHeap=0x300000) returned 1 [0103.009] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a050 | out: hHeap=0x300000) returned 1 [0103.010] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a080 | out: hHeap=0x300000) returned 1 [0103.010] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a0b0 | out: hHeap=0x300000) returned 1 [0103.010] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a0e0 | out: hHeap=0x300000) returned 1 [0103.011] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a110 | out: hHeap=0x300000) returned 1 [0103.011] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a140 | out: hHeap=0x300000) returned 1 [0103.011] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a170 | out: hHeap=0x300000) returned 1 [0103.012] HeapFree (hHeap=0x300000, dwFlags=0x0, lpMem=0x33a1a0) [0103.012] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a1a0 | out: hHeap=0x300000) returned 1 [0103.012] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a1d0 | out: hHeap=0x300000) returned 1 [0103.013] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33ae90 | out: hHeap=0x300000) returned 1 [0103.475] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335f00 | out: hHeap=0x300000) returned 1 [0103.495] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0103.505] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0107.554] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77280000 [0107.554] GetProcAddress (hModule=0x77280000, lpProcName="ZwAllocateVirtualMemory") returned 0x772d1490 [0107.554] GetProcAddress (hModule=0x77280000, lpProcName="ZwWriteVirtualMemory") returned 0x772d16b0 [0107.554] GetProcAddress (hModule=0x77280000, lpProcName="ZwReadVirtualMemory") returned 0x772d1700 [0107.554] GetProcAddress (hModule=0x77280000, lpProcName="ZwGetContextThread") returned 0x772d1fe0 [0107.554] GetProcAddress (hModule=0x77280000, lpProcName="ZwSetContextThread") returned 0x772d2840 [0107.568] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x347ff0 [0107.580] CoCreateInstance (in: rclsid=0x1e657e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1e657f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x258f750 | out: ppv=0x258f750*=0x3366d0) returned 0x0 [0107.598] WbemLocator:IWbemLocator:ConnectServer (in: This=0x3366d0, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x258f748 | out: ppNamespace=0x258f748*=0x3635f0) returned 0x0 [0110.404] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x7fefd730000 [0110.405] GetProcAddress (hModule=0x7fefd730000, lpProcName="CoSetProxyBlanket") returned 0x7fefd76bf00 [0110.405] CoSetProxyBlanket (pProxy=0x3635f0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0110.841] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x18) returned 0x3369f0 [0110.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x347ff0, cbMultiByte=35, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 35 [0110.861] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x347ff0, cbMultiByte=35, lpWideCharStr=0x258f640, cchWideChar=35 | out: lpWideCharStr="SELECT * FROM Win32_ComputerSystem") returned 35 [0110.862] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x18) returned 0x336a10 [0110.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e7b258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0110.862] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e7b258, cbMultiByte=4, lpWideCharStr=0x258f680, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0110.862] IWbemServices:ExecQuery (in: This=0x3635f0, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystem", lFlags=48, pCtx=0x0, ppEnum=0x258f758 | out: ppEnum=0x258f758*=0x36a4c0) returned 0x0 [0111.059] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336a10 | out: hHeap=0x300000) returned 1 [0111.059] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3369f0 | out: hHeap=0x300000) returned 1 [0111.059] IEnumWbemClassObject:Next (in: This=0x36a4c0, lTimeout=-1, uCount=0x1, apObjects=0x258f760, puReturned=0x258f878 | out: apObjects=0x258f760*=0x36e2d0, puReturned=0x258f878*=0x1) returned 0x0 [0111.605] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x258f8b0, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0111.632] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x258f8b0, cbMultiByte=4, lpWideCharStr=0x258f678, cchWideChar=4 | out: lpWideCharStr="Name") returned 4 [0112.340] IWbemClassObject:Get (in: This=0x36e2d0, wszName="Name", lFlags=0, pVal=0x258f800*(varType=0x0, wReserved1=0x34, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x258f800*(varType=0x8, wReserved1=0x34, wReserved2=0x0, wReserved3=0x0, varVal1="Q9IATRKPRH", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0112.354] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x34bca0 [0112.354] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Q9IATRKPRH", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0112.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Q9IATRKPRH", cchWideChar=10, lpMultiByteStr=0x258f698, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Q9IATRKPRH", lpUsedDefaultChar=0x0) returned 10 [0112.588] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x34bca0 | out: hHeap=0x300000) returned 1 [0112.589] IUnknown:Release (This=0x36e2d0) returned 0x0 [0112.589] WbemLocator:IUnknown:Release (This=0x3635f0) returned 0x0 [0112.630] WbemLocator:IUnknown:Release (This=0x3366d0) returned 0x0 [0112.630] IUnknown:Release (This=0x36a4c0) returned 0x0 [0112.645] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x347ff0 | out: hHeap=0x300000) returned 1 [0112.677] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x347ff0 [0112.677] CoCreateInstance (in: rclsid=0x1e657e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1e657f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x258f750 | out: ppv=0x258f750*=0x336a10) returned 0x0 [0112.677] WbemLocator:IWbemLocator:ConnectServer (in: This=0x336a10, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x258f748 | out: ppNamespace=0x258f748*=0x3635f0) returned 0x0 [0112.984] CoSetProxyBlanket (pProxy=0x3635f0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0112.984] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x18) returned 0x336a70 [0112.984] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x347ff0, cbMultiByte=42, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 42 [0112.984] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x347ff0, cbMultiByte=42, lpWideCharStr=0x258f630, cchWideChar=42 | out: lpWideCharStr="SELECT * FROM Win32_ComputerSystemProduct") returned 42 [0112.984] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x18) returned 0x3366d0 [0112.985] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e7b258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0112.985] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e7b258, cbMultiByte=4, lpWideCharStr=0x258f680, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0112.985] IWbemServices:ExecQuery (This=0x3635f0, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystemProduct", lFlags=48, pCtx=0x0, ppEnum=0x258f758) [0112.985] IWbemServices:ExecQuery (in: This=0x3635f0, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystemProduct", lFlags=48, pCtx=0x0, ppEnum=0x258f758 | out: ppEnum=0x258f758*=0x36a4c0) returned 0x0 [0112.988] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3366d0 | out: hHeap=0x300000) returned 1 [0112.988] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336a70 | out: hHeap=0x300000) returned 1 [0112.988] IEnumWbemClassObject:Next (in: This=0x36a4c0, lTimeout=-1, uCount=0x1, apObjects=0x258f760, puReturned=0x258f878 | out: apObjects=0x258f760*=0x36c240, puReturned=0x258f878*=0x1) returned 0x0 [0113.305] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x258f8b0, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0113.305] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x258f8b0, cbMultiByte=4, lpWideCharStr=0x258f678, cchWideChar=4 | out: lpWideCharStr="UUID") returned 4 [0113.305] IWbemClassObject:Get (in: This=0x36c240, wszName="UUID", lFlags=0, pVal=0x258f800*(varType=0x0, wReserved1=0x34, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x258f800*(varType=0x8, wReserved1=0x34, wReserved2=0x0, wReserved3=0x0, varVal1="4C4C4544-0050-3710-8058-CAC04F59344A", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0113.305] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x50) returned 0x3476d0 [0113.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4C4C4544-0050-3710-8058-CAC04F59344A", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0113.305] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x35dd30 [0113.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4C4C4544-0050-3710-8058-CAC04F59344A", cchWideChar=36, lpMultiByteStr=0x35dd30, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="4C4C4544-0050-3710-8058-CAC04F59344A", lpUsedDefaultChar=0x0) returned 36 [0113.306] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3476d0 | out: hHeap=0x300000) returned 1 [0113.306] IUnknown:Release (This=0x36c240) returned 0x0 [0113.306] WbemLocator:IUnknown:Release (This=0x3635f0) returned 0x0 [0113.307] WbemLocator:IUnknown:Release (This=0x336a10) returned 0x0 [0113.307] IUnknown:Release (This=0x36a4c0) returned 0x0 [0113.335] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x347ff0 | out: hHeap=0x300000) returned 1 [0113.335] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x347ff0 [0113.349] GetLastError () returned 0x0 [0113.349] SetLastError (dwErrCode=0x0) [0113.487] GetLastError () returned 0x0 [0113.487] SetLastError (dwErrCode=0x0) [0113.487] GetLastError () returned 0x0 [0113.487] SetLastError (dwErrCode=0x0) [0113.487] GetLastError () returned 0x0 [0113.487] SetLastError (dwErrCode=0x0) [0113.487] GetLastError () returned 0x0 [0113.488] SetLastError (dwErrCode=0x0) [0113.488] GetLastError () returned 0x0 [0113.488] SetLastError (dwErrCode=0x0) [0113.488] GetLastError () returned 0x0 [0113.488] SetLastError (dwErrCode=0x0) [0113.488] GetLastError () returned 0x0 [0113.488] SetLastError (dwErrCode=0x0) [0113.488] GetLastError () returned 0x0 [0113.488] SetLastError (dwErrCode=0x0) [0113.488] GetLastError () returned 0x0 [0113.488] SetLastError (dwErrCode=0x0) [0113.488] GetLastError () returned 0x0 [0113.488] SetLastError (dwErrCode=0x0) [0113.488] GetLastError () returned 0x0 [0113.488] SetLastError (dwErrCode=0x0) [0113.488] GetLastError () returned 0x0 [0113.488] SetLastError (dwErrCode=0x0) [0113.488] GetLastError () returned 0x0 [0113.488] SetLastError (dwErrCode=0x0) [0113.488] GetLastError () returned 0x0 [0113.488] SetLastError (dwErrCode=0x0) [0113.488] GetLastError () returned 0x0 [0113.489] SetLastError (dwErrCode=0x0) [0113.489] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x35dcf0 [0113.489] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x35dcf0, cbMultiByte=32, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 32 [0113.489] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x50) returned 0x3473d0 [0113.489] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x35dcf0, cbMultiByte=32, lpWideCharStr=0x3473d0, cchWideChar=32 | out: lpWideCharStr="aa360b8ffe2aca5f0f5c1f9ffd6f6a58") returned 32 [0113.489] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="aa360b8ffe2aca5f0f5c1f9ffd6f6a58") returned 0x180 [0113.489] GetLastError () returned 0xb7 [0113.489] CloseHandle (hObject=0x180) returned 1 [0113.490] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3473d0 | out: hHeap=0x300000) returned 1 [0113.894] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x35dcf0 | out: hHeap=0x300000) returned 1 [0113.895] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x347ff0 | out: hHeap=0x300000) returned 1 [0113.896] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x35dd30 | out: hHeap=0x300000) returned 1 [0114.008] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33baf0 | out: hHeap=0x300000) returned 1 [0114.008] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32bf40 | out: hHeap=0x300000) returned 1 [0114.009] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32be40 | out: hHeap=0x300000) returned 1 [0114.009] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335b30 | out: hHeap=0x300000) returned 1 Thread: id = 152 os_tid = 0xd58 Thread: id = 156 os_tid = 0x854 [0108.210] GetLastError () returned 0x57 [0108.496] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x78) returned 0x32bfc0 [0108.514] SetLastError (dwErrCode=0x57) [0108.820] GetLastError () returned 0x57 [0108.839] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c8) returned 0x350cc0 [0109.117] SetLastError (dwErrCode=0x57) Thread: id = 158 os_tid = 0x858 [0110.215] GetLastError () returned 0x57 [0110.215] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x78) returned 0x32c040 [0110.216] SetLastError (dwErrCode=0x57) [0110.216] GetLastError () returned 0x57 [0110.216] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c8) returned 0x362f40 [0110.216] SetLastError (dwErrCode=0x57) Thread: id = 159 os_tid = 0xe14 [0110.217] GetLastError () returned 0x57 [0110.217] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x78) returned 0x32c0c0 [0110.217] SetLastError (dwErrCode=0x57) [0110.217] GetLastError () returned 0x57 [0110.217] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c8) returned 0x366ba0 [0110.217] SetLastError (dwErrCode=0x57) Process: id = "18" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x42b89000" os_pid = "0xe00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"Install\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1077 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1078 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1079 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1080 start_va = 0x190000 end_va = 0x28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1081 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1082 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1083 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1084 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 1085 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1086 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1087 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 1088 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1089 start_va = 0x290000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 1090 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1091 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1092 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1093 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1094 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1095 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1096 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1097 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1098 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1099 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1100 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1101 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1102 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1103 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1104 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1105 start_va = 0x410000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 1106 start_va = 0x510000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 1116 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1117 start_va = 0x610000 end_va = 0x797fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 1118 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1119 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1120 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1153 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1154 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1155 start_va = 0x7a0000 end_va = 0x920fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 1156 start_va = 0x930000 end_va = 0x1d2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 1162 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1163 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 1164 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1165 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1166 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Thread: id = 38 os_tid = 0xdfc [0061.280] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fdb8 | out: lpSystemTimeAsFileTime=0x28fdb8*(dwLowDateTime=0x1ec00ac0, dwHighDateTime=0x1d937fd)) [0061.280] GetCurrentThreadId () returned 0xdfc [0061.280] GetCurrentProcessId () returned 0xe00 [0061.280] QueryPerformanceCounter (in: lpPerformanceCount=0x28fdc0 | out: lpPerformanceCount=0x28fdc0*=3318579682919) returned 1 [0061.280] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0061.283] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0061.283] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0061.284] GetLastError () returned 0x7e [0061.284] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0061.284] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0061.284] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0061.285] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0061.285] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0061.286] GetProcessHeap () returned 0x310000 [0061.286] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0061.286] GetLastError () returned 0x7e [0061.286] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0061.286] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0061.286] GetLastError () returned 0x7e [0061.286] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0061.286] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0061.286] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x3c8) returned 0x32cfa0 [0061.287] SetLastError (dwErrCode=0x7e) [0061.287] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x1200) returned 0x32d370 [0061.289] GetStartupInfoW (in: lpStartupInfo=0x28fc90 | out: lpStartupInfo=0x28fc90*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x28fd18, hStdError=0x1)) [0061.289] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0061.289] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0061.289] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0061.289] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"Install\"" [0061.289] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"Install\"" [0061.289] GetACP () returned 0x4e4 [0061.290] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x0, Size=0x228) returned 0x32ab80 [0061.290] IsValidCodePage (CodePage=0x4e4) returned 1 [0061.290] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x28fc50 | out: lpCPInfo=0x28fc50) returned 1 [0061.290] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x28f4f0 | out: lpCPInfo=0x28f4f0) returned 1 [0061.290] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f510, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0061.290] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f510, cbMultiByte=256, lpWideCharStr=0x28f240, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0061.290] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x28f810 | out: lpCharType=0x28f810) returned 1 [0061.290] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f510, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0061.290] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f510, cbMultiByte=256, lpWideCharStr=0x28f1e0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0061.290] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0061.290] GetLastError () returned 0x7e [0061.290] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0061.291] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0061.291] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x28efd0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0061.291] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x28f610, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x80«2", lpUsedDefaultChar=0x0) returned 256 [0061.291] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f510, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0061.291] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f510, cbMultiByte=256, lpWideCharStr=0x28f1e0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0061.291] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0061.291] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x28efd0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0061.291] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x28f710, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0061.292] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x0, Size=0x100) returned 0x32f580 [0061.292] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0061.292] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x18a) returned 0x32f690 [0061.292] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0061.292] GetLastError () returned 0x0 [0061.292] SetLastError (dwErrCode=0x0) [0061.292] GetEnvironmentStringsW () returned 0x32f830* [0061.292] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x0, Size=0xb32) returned 0x330370 [0061.292] FreeEnvironmentStringsW (penv=0x32f830) returned 1 [0061.292] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x128) returned 0x32f830 [0061.292] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x3e) returned 0x32afd0 [0061.292] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x56) returned 0x32adb0 [0061.292] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x62) returned 0x330eb0 [0061.292] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x78) returned 0x330f20 [0061.292] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x62) returned 0x32f960 [0061.292] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x30) returned 0x32e8f0 [0061.292] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x48) returned 0x32b020 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x28) returned 0x327990 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x1a) returned 0x3279c0 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x34) returned 0x32e930 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x5c) returned 0x32f9d0 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x32) returned 0x32e970 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x2e) returned 0x32e9b0 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x1c) returned 0x3279f0 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x19c) returned 0x32fa40 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x7c) returned 0x32fbf0 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x3a) returned 0x32b070 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x90) returned 0x32fc80 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x24) returned 0x327a20 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x30) returned 0x32e9f0 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x36) returned 0x32ea30 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x3c) returned 0x32b0c0 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x52) returned 0x32fd20 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x3c) returned 0x32b110 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0xd6) returned 0x32fd80 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x2e) returned 0x32ea70 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x1e) returned 0x327a50 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x2c) returned 0x32eab0 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x54) returned 0x32fe60 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x52) returned 0x32fec0 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x2c) returned 0x32eaf0 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x26) returned 0x327a80 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x3e) returned 0x32b160 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x24) returned 0x327ab0 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x30) returned 0x32eb30 [0061.293] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x8c) returned 0x32ff20 [0061.294] HeapFree (in: hHeap=0x310000, dwFlags=0x0, lpMem=0x330370 | out: hHeap=0x310000) returned 1 [0061.294] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x8, Size=0x1000) returned 0x330fa0 [0061.294] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0061.295] GetStartupInfoW (in: lpStartupInfo=0x28fd20 | out: lpStartupInfo=0x28fd20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0061.295] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"Install\"" [0061.295] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"Install\"", pNumArgs=0x28fcf0 | out: pNumArgs=0x28fcf0) returned 0x330440*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0061.295] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0061.300] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x0, Size=0x1000) returned 0x334090 [0061.301] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x0, Size=0x12) returned 0x330e70 [0061.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="FPH732n7", cchWideChar=-1, lpMultiByteStr=0x330e70, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FPH732n7", lpUsedDefaultChar=0x0) returned 9 [0061.301] GetLastError () returned 0x0 [0061.301] SetLastError (dwErrCode=0x0) [0061.301] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7W") returned 0x0 [0061.301] GetLastError () returned 0x7f [0061.301] SetLastError (dwErrCode=0x7f) [0061.301] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7A") returned 0x0 [0061.302] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7") returned 0x7fef2eb1cf0 [0061.302] RtlAllocateHeap (HeapHandle=0x310000, Flags=0x0, Size=0x10) returned 0x330e90 [0061.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Install", cchWideChar=-1, lpMultiByteStr=0x330e90, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Install", lpUsedDefaultChar=0x0) returned 8 [0061.302] GetActiveWindow () returned 0x0 [0061.343] GetLastError () returned 0x7f [0061.343] SetLastError (dwErrCode=0x7f) Process: id = "19" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x43595000" os_pid = "0xe48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"Install\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1127 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1128 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1129 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1130 start_va = 0x70000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1131 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1132 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1133 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1134 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 1135 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1136 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1137 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 1138 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 1139 start_va = 0x170000 end_va = 0x35ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 1140 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1141 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1142 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1143 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1144 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1145 start_va = 0x170000 end_va = 0x1d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1146 start_va = 0x260000 end_va = 0x35ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 1147 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1148 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1149 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1150 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1151 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1152 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1157 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1158 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1159 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1160 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1161 start_va = 0x360000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 1167 start_va = 0x1e0000 end_va = 0x208fff monitored = 0 entry_point = 0x1e1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1168 start_va = 0x460000 end_va = 0x5e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 1169 start_va = 0x1e0000 end_va = 0x208fff monitored = 0 entry_point = 0x1e1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1170 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1171 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1172 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1173 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1174 start_va = 0x5f0000 end_va = 0x770fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 1175 start_va = 0x780000 end_va = 0x1b7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 1176 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1177 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 1178 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1179 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1180 start_va = 0x200000 end_va = 0x200fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Thread: id = 40 os_tid = 0xe60 [0061.775] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fc18 | out: lpSystemTimeAsFileTime=0x16fc18*(dwLowDateTime=0x1f09d560, dwHighDateTime=0x1d937fd)) [0061.775] GetCurrentThreadId () returned 0xe60 [0061.775] GetCurrentProcessId () returned 0xe48 [0061.775] QueryPerformanceCounter (in: lpPerformanceCount=0x16fc20 | out: lpPerformanceCount=0x16fc20*=3318994059810) returned 1 [0061.776] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0061.790] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0061.790] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0061.790] GetLastError () returned 0x7e [0061.790] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0061.790] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0061.791] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0061.791] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0061.791] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0061.792] GetProcessHeap () returned 0x260000 [0061.792] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0061.792] GetLastError () returned 0x7e [0061.792] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0061.792] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0061.792] GetLastError () returned 0x7e [0061.793] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0061.793] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0061.793] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x3c8) returned 0x27cfa0 [0061.793] SetLastError (dwErrCode=0x7e) [0061.793] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x1200) returned 0x27d370 [0061.795] GetStartupInfoW (in: lpStartupInfo=0x16faf0 | out: lpStartupInfo=0x16faf0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x16fb78, hStdError=0x1)) [0061.795] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0061.795] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0061.795] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0061.795] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"Install\"" [0061.795] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"Install\"" [0061.795] GetACP () returned 0x4e4 [0061.795] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x228) returned 0x27ab80 [0061.795] IsValidCodePage (CodePage=0x4e4) returned 1 [0061.795] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x16fab0 | out: lpCPInfo=0x16fab0) returned 1 [0061.795] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x16f350 | out: lpCPInfo=0x16f350) returned 1 [0061.795] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f370, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0061.795] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f370, cbMultiByte=256, lpWideCharStr=0x16f0a0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0061.795] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x16f670 | out: lpCharType=0x16f670) returned 1 [0061.796] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f370, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0061.796] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f370, cbMultiByte=256, lpWideCharStr=0x16f040, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0061.796] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0061.796] GetLastError () returned 0x7e [0061.796] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0061.796] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0061.796] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x16ee30, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0061.796] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x16f470, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x80«'", lpUsedDefaultChar=0x0) returned 256 [0061.796] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f370, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0061.796] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f370, cbMultiByte=256, lpWideCharStr=0x16f040, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0061.796] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0061.797] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x16ee30, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0061.797] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x16f570, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0061.797] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x100) returned 0x27f580 [0061.797] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0061.797] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x18a) returned 0x27f690 [0061.797] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0061.797] GetLastError () returned 0x0 [0061.797] SetLastError (dwErrCode=0x0) [0061.797] GetEnvironmentStringsW () returned 0x27f830* [0061.797] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0xb32) returned 0x280370 [0061.797] FreeEnvironmentStringsW (penv=0x27f830) returned 1 [0061.797] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x128) returned 0x27f830 [0061.797] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x3e) returned 0x27afd0 [0061.797] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x56) returned 0x27adb0 [0061.797] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x62) returned 0x280eb0 [0061.797] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x78) returned 0x280f20 [0061.797] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x62) returned 0x27f960 [0061.797] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x30) returned 0x27e8f0 [0061.797] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x48) returned 0x27b020 [0061.797] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x28) returned 0x277990 [0061.797] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x1a) returned 0x2779c0 [0061.797] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x34) returned 0x27e930 [0061.797] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x5c) returned 0x27f9d0 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x32) returned 0x27e970 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x2e) returned 0x27e9b0 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x1c) returned 0x2779f0 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x19c) returned 0x27fa40 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x7c) returned 0x27fbf0 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x3a) returned 0x27b070 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x90) returned 0x27fc80 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x24) returned 0x277a20 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x30) returned 0x27e9f0 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x36) returned 0x27ea30 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x3c) returned 0x27b0c0 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x52) returned 0x27fd20 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x3c) returned 0x27b110 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xd6) returned 0x27fd80 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x2e) returned 0x27ea70 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x1e) returned 0x277a50 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x2c) returned 0x27eab0 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x54) returned 0x27fe60 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x52) returned 0x27fec0 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x2c) returned 0x27eaf0 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x26) returned 0x277a80 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x3e) returned 0x27b160 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x24) returned 0x277ab0 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x30) returned 0x27eb30 [0061.798] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x8c) returned 0x27ff20 [0061.799] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x280370 | out: hHeap=0x260000) returned 1 [0061.799] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x1000) returned 0x280fa0 [0061.799] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0061.799] GetStartupInfoW (in: lpStartupInfo=0x16fb80 | out: lpStartupInfo=0x16fb80*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0061.799] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"Install\"" [0061.799] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"Install\"", pNumArgs=0x16fb50 | out: pNumArgs=0x16fb50) returned 0x280440*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0061.799] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0061.803] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1000) returned 0x284090 [0061.804] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x12) returned 0x280e70 [0061.804] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="KlXWgB9j", cchWideChar=-1, lpMultiByteStr=0x280e70, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="KlXWgB9j", lpUsedDefaultChar=0x0) returned 9 [0061.804] GetLastError () returned 0x0 [0061.804] SetLastError (dwErrCode=0x0) [0061.804] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9jW") returned 0x0 [0061.804] GetLastError () returned 0x7f [0061.804] SetLastError (dwErrCode=0x7f) [0061.804] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9jA") returned 0x0 [0061.804] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9j") returned 0x7fef2eb0010 [0061.804] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x10) returned 0x280e90 [0061.804] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Install", cchWideChar=-1, lpMultiByteStr=0x280e90, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Install", lpUsedDefaultChar=0x0) returned 8 [0061.804] GetActiveWindow () returned 0x0 [0061.933] GetLastError () returned 0x7f [0061.933] SetLastError (dwErrCode=0x7f) Process: id = "20" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x434a1000" os_pid = "0xe94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"Install\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1181 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1182 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1183 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1184 start_va = 0x1d0000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1185 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1186 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1187 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1188 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 1189 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1190 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1191 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 1192 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1193 start_va = 0x2d0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 1194 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1195 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1196 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1197 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1198 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1199 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1200 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1201 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1202 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1203 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1204 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1205 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1206 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1207 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1208 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1209 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1210 start_va = 0xc0000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1211 start_va = 0x2d0000 end_va = 0x2f8fff monitored = 0 entry_point = 0x2d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1212 start_va = 0x3c0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 1213 start_va = 0x4c0000 end_va = 0x647fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 1214 start_va = 0x2d0000 end_va = 0x2f8fff monitored = 0 entry_point = 0x2d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1215 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1216 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1217 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1218 start_va = 0x2d0000 end_va = 0x2d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 1219 start_va = 0x650000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 1220 start_va = 0x7e0000 end_va = 0x1bdffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1221 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1222 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 1223 start_va = 0x2e0000 end_va = 0x2e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 1224 start_va = 0x2f0000 end_va = 0x2f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1226 start_va = 0x300000 end_va = 0x300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 1562 start_va = 0x2f0000 end_va = 0x2f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1563 start_va = 0x300000 end_va = 0x300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Thread: id = 42 os_tid = 0xe3c [0065.550] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf918 | out: lpSystemTimeAsFileTime=0x2cf918*(dwLowDateTime=0x2137b9b0, dwHighDateTime=0x1d937fd)) [0065.550] GetCurrentThreadId () returned 0xe3c [0065.550] GetCurrentProcessId () returned 0xe94 [0065.550] QueryPerformanceCounter (in: lpPerformanceCount=0x2cf920 | out: lpPerformanceCount=0x2cf920*=3319600264064) returned 1 [0065.551] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0065.554] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0065.554] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0065.554] GetLastError () returned 0x7e [0065.554] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0065.555] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0065.555] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0065.555] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0065.556] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0065.556] GetProcessHeap () returned 0x3c0000 [0065.556] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0065.556] GetLastError () returned 0x7e [0065.556] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0065.556] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0065.557] GetLastError () returned 0x7e [0065.557] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0065.557] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0065.557] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3c8) returned 0x3dcfa0 [0065.558] SetLastError (dwErrCode=0x7e) [0065.558] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1200) returned 0x3dd370 [0065.560] GetStartupInfoW (in: lpStartupInfo=0x2cf7f0 | out: lpStartupInfo=0x2cf7f0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x2cf878, hStdError=0x1)) [0065.560] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0065.560] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0065.560] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0065.560] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"Install\"" [0065.560] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"Install\"" [0065.560] GetACP () returned 0x4e4 [0065.560] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x228) returned 0x3dab80 [0065.560] IsValidCodePage (CodePage=0x4e4) returned 1 [0065.560] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2cf7b0 | out: lpCPInfo=0x2cf7b0) returned 1 [0065.560] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2cf050 | out: lpCPInfo=0x2cf050) returned 1 [0065.560] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf070, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0065.560] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf070, cbMultiByte=256, lpWideCharStr=0x2ceda0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0065.560] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x2cf370 | out: lpCharType=0x2cf370) returned 1 [0065.561] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf070, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0065.561] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf070, cbMultiByte=256, lpWideCharStr=0x2ced40, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0065.561] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0065.561] GetLastError () returned 0x7e [0065.561] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0065.561] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0065.562] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2ceb30, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0065.562] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x2cf170, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x80«=", lpUsedDefaultChar=0x0) returned 256 [0065.562] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf070, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0065.562] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf070, cbMultiByte=256, lpWideCharStr=0x2ced40, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0065.562] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0065.562] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2ceb30, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0065.562] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x2cf270, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0065.563] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x100) returned 0x3df580 [0065.563] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0065.563] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x188) returned 0x3df690 [0065.563] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0065.563] GetLastError () returned 0x0 [0065.563] SetLastError (dwErrCode=0x0) [0065.563] GetEnvironmentStringsW () returned 0x3df820* [0065.563] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0xb32) returned 0x3e0360 [0065.563] FreeEnvironmentStringsW (penv=0x3df820) returned 1 [0065.563] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x128) returned 0x3e0ea0 [0065.563] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3e) returned 0x3dafd0 [0065.563] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x56) returned 0x3dadb0 [0065.563] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x62) returned 0x3df820 [0065.563] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x78) returned 0x3df890 [0065.563] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x62) returned 0x3df910 [0065.563] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x30) returned 0x3de8f0 [0065.563] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x48) returned 0x3db020 [0065.563] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x28) returned 0x3d7990 [0065.563] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1a) returned 0x3d79c0 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x34) returned 0x3de930 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x5c) returned 0x3df980 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x32) returned 0x3de970 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x2e) returned 0x3de9b0 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1c) returned 0x3d79f0 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x19c) returned 0x3df9f0 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x7c) returned 0x3dfba0 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3a) returned 0x3db070 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x90) returned 0x3dfc30 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x24) returned 0x3d7a20 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x30) returned 0x3de9f0 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x36) returned 0x3dea30 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3c) returned 0x3db0c0 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x52) returned 0x3dfcd0 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3c) returned 0x3db110 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0xd6) returned 0x3dfd30 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x2e) returned 0x3dea70 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1e) returned 0x3d7a50 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x2c) returned 0x3deab0 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x54) returned 0x3dfe10 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x52) returned 0x3dfe70 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x2c) returned 0x3deaf0 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x26) returned 0x3d7a80 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x3e) returned 0x3db160 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x24) returned 0x3d7ab0 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x30) returned 0x3deb30 [0065.564] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x8c) returned 0x3dfed0 [0065.565] HeapFree (in: hHeap=0x3c0000, dwFlags=0x0, lpMem=0x3e0360 | out: hHeap=0x3c0000) returned 1 [0065.565] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x8, Size=0x1000) returned 0x3e0fd0 [0065.565] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0065.565] GetStartupInfoW (in: lpStartupInfo=0x2cf880 | out: lpStartupInfo=0x2cf880*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0065.565] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"Install\"" [0065.565] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"Install\"", pNumArgs=0x2cf850 | out: pNumArgs=0x2cf850) returned 0x3e03f0*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0065.566] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0065.571] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x1000) returned 0x3e40c0 [0065.571] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x10) returned 0x3e0e10 [0065.571] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="LKKIJ77", cchWideChar=-1, lpMultiByteStr=0x3e0e10, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LKKIJ77", lpUsedDefaultChar=0x0) returned 8 [0065.571] GetLastError () returned 0x0 [0065.571] SetLastError (dwErrCode=0x0) [0065.572] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77W") returned 0x0 [0065.572] GetLastError () returned 0x7f [0065.572] SetLastError (dwErrCode=0x7f) [0065.572] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77A") returned 0x0 [0065.572] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77") returned 0x7fef2ea6420 [0065.572] RtlAllocateHeap (HeapHandle=0x3c0000, Flags=0x0, Size=0x10) returned 0x3e0e30 [0065.572] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Install", cchWideChar=-1, lpMultiByteStr=0x3e0e30, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Install", lpUsedDefaultChar=0x0) returned 8 [0065.572] GetActiveWindow () returned 0x0 [0065.573] GetLastError () returned 0x7f [0065.573] SetLastError (dwErrCode=0x7f) Process: id = "21" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x42cb1000" os_pid = "0xe78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"Install\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1227 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1228 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1229 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1230 start_va = 0x110000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 1231 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1232 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1233 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1234 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 1235 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1236 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1237 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 1238 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 1239 start_va = 0x210000 end_va = 0x3affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1240 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1241 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1242 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1243 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1244 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1245 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1246 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1247 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1248 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1249 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1250 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1253 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1254 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1255 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1256 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1257 start_va = 0x210000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1258 start_va = 0x2b0000 end_va = 0x3affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 1259 start_va = 0x3b0000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 1260 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1261 start_va = 0x4b0000 end_va = 0x637fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 1262 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1263 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1264 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1265 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1266 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1267 start_va = 0x640000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 1268 start_va = 0x7d0000 end_va = 0x1bcffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1311 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1312 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 1313 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1317 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1318 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Thread: id = 44 os_tid = 0xe24 [0067.148] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fa18 | out: lpSystemTimeAsFileTime=0x20fa18*(dwLowDateTime=0x221dace0, dwHighDateTime=0x1d937fd)) [0067.148] GetCurrentThreadId () returned 0xe24 [0067.148] GetCurrentProcessId () returned 0xe78 [0067.148] QueryPerformanceCounter (in: lpPerformanceCount=0x20fa20 | out: lpPerformanceCount=0x20fa20*=3319760048094) returned 1 [0067.149] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0067.151] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0067.151] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0067.151] GetLastError () returned 0x7e [0067.151] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0067.151] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0067.151] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0067.152] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0067.152] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0067.152] GetProcessHeap () returned 0x2b0000 [0067.152] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0067.153] GetLastError () returned 0x7e [0067.153] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0067.153] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0067.153] GetLastError () returned 0x7e [0067.153] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0067.153] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0067.153] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x3c8) returned 0x2ccfb0 [0067.153] SetLastError (dwErrCode=0x7e) [0067.153] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x1200) returned 0x2cd380 [0067.155] GetStartupInfoW (in: lpStartupInfo=0x20f8f0 | out: lpStartupInfo=0x20f8f0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x20f978, hStdError=0x1)) [0067.155] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0067.155] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0067.155] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0067.155] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"Install\"" [0067.155] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"Install\"" [0067.155] GetACP () returned 0x4e4 [0067.156] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x0, Size=0x228) returned 0x2cab90 [0067.156] IsValidCodePage (CodePage=0x4e4) returned 1 [0067.156] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x20f8b0 | out: lpCPInfo=0x20f8b0) returned 1 [0067.156] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x20f150 | out: lpCPInfo=0x20f150) returned 1 [0067.156] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f170, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0067.156] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f170, cbMultiByte=256, lpWideCharStr=0x20eea0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0067.156] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x20f470 | out: lpCharType=0x20f470) returned 1 [0067.156] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f170, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0067.156] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f170, cbMultiByte=256, lpWideCharStr=0x20ee40, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0067.156] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0067.156] GetLastError () returned 0x7e [0067.156] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0067.156] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0067.157] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x20ec30, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0067.157] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x20f270, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«,", lpUsedDefaultChar=0x0) returned 256 [0067.157] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f170, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0067.157] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f170, cbMultiByte=256, lpWideCharStr=0x20ee40, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0067.157] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0067.157] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x20ec30, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0067.157] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x20f370, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0067.157] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x0, Size=0x100) returned 0x2cf590 [0067.157] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0067.157] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x18e) returned 0x2cf6a0 [0067.157] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0067.157] GetLastError () returned 0x0 [0067.157] SetLastError (dwErrCode=0x0) [0067.157] GetEnvironmentStringsW () returned 0x2cf840* [0067.157] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x0, Size=0xb32) returned 0x2d0380 [0067.157] FreeEnvironmentStringsW (penv=0x2cf840) returned 1 [0067.157] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x128) returned 0x2cf840 [0067.157] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x3e) returned 0x2cafe0 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x56) returned 0x2cadc0 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x62) returned 0x2d0ec0 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x78) returned 0x2d0f30 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x62) returned 0x2cf970 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x30) returned 0x2ce900 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x48) returned 0x2cb030 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x28) returned 0x2c79a0 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x1a) returned 0x2c79d0 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x34) returned 0x2ce940 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x5c) returned 0x2cf9e0 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x32) returned 0x2ce980 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x2e) returned 0x2ce9c0 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x1c) returned 0x2c7a00 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x19c) returned 0x2cfa50 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x7c) returned 0x2cfc00 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x3a) returned 0x2cb080 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x90) returned 0x2cfc90 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x24) returned 0x2c7a30 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x30) returned 0x2cea00 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x36) returned 0x2cea40 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x3c) returned 0x2cb0d0 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x52) returned 0x2cfd30 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x3c) returned 0x2cb120 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0xd6) returned 0x2cfd90 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x2e) returned 0x2cea80 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x1e) returned 0x2c7a60 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x2c) returned 0x2ceac0 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x54) returned 0x2cfe70 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x52) returned 0x2cfed0 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x2c) returned 0x2ceb00 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x26) returned 0x2c7a90 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x3e) returned 0x2cb170 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x24) returned 0x2c7ac0 [0067.158] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x30) returned 0x2ceb40 [0067.159] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x8c) returned 0x2cff30 [0067.159] HeapFree (in: hHeap=0x2b0000, dwFlags=0x0, lpMem=0x2d0380 | out: hHeap=0x2b0000) returned 1 [0067.159] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x8, Size=0x1000) returned 0x2d0fb0 [0067.159] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0067.160] GetStartupInfoW (in: lpStartupInfo=0x20f980 | out: lpStartupInfo=0x20f980*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0067.160] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"Install\"" [0067.160] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"Install\"", pNumArgs=0x20f950 | out: pNumArgs=0x20f950) returned 0x2d0450*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0067.160] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0067.164] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x0, Size=0x1000) returned 0x2d40a0 [0067.164] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x0, Size=0x16) returned 0x2d0e80 [0067.164] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="MMlFUh3Tzt", cchWideChar=-1, lpMultiByteStr=0x2d0e80, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MMlFUh3Tzt", lpUsedDefaultChar=0x0) returned 11 [0067.164] GetLastError () returned 0x0 [0067.164] SetLastError (dwErrCode=0x0) [0067.164] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3TztW") returned 0x0 [0067.164] GetLastError () returned 0x7f [0067.164] SetLastError (dwErrCode=0x7f) [0067.164] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3TztA") returned 0x0 [0067.164] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3Tzt") returned 0x7fef2eb0cf0 [0067.165] RtlAllocateHeap (HeapHandle=0x2b0000, Flags=0x0, Size=0x10) returned 0x2d0ea0 [0067.165] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Install", cchWideChar=-1, lpMultiByteStr=0x2d0ea0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Install", lpUsedDefaultChar=0x0) returned 8 [0067.165] GetActiveWindow () returned 0x0 [0067.393] GetLastError () returned 0x7f [0067.393] SetLastError (dwErrCode=0x7f) Process: id = "22" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x43cc6000" os_pid = "0xe8c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"DefaultInstall\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1269 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1270 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1271 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1272 start_va = 0x1f0000 end_va = 0x2effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1273 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1274 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1275 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1276 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 1277 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1278 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1279 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 1280 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1281 start_va = 0x50000 end_va = 0x17ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1282 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1283 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1284 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1285 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1286 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1287 start_va = 0x180000 end_va = 0x1e6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1288 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1289 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1290 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1291 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1292 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1293 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1294 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1295 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1296 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1297 start_va = 0x2f0000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1298 start_va = 0x350000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 1300 start_va = 0x50000 end_va = 0x78fff monitored = 0 entry_point = 0x51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1301 start_va = 0x80000 end_va = 0x17ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 1302 start_va = 0x450000 end_va = 0x5d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 1303 start_va = 0x50000 end_va = 0x78fff monitored = 0 entry_point = 0x51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1304 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1305 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1306 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1307 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1308 start_va = 0x5e0000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 1309 start_va = 0x770000 end_va = 0x1b6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 1314 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1315 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 1316 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2416 start_va = 0x1b70000 end_va = 0x1bedfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b70000" filename = "" Region: id = 2448 start_va = 0x1bf0000 end_va = 0x1d47fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001bf0000" filename = "" Region: id = 2461 start_va = 0x1d50000 end_va = 0x1eb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d50000" filename = "" Region: id = 2466 start_va = 0x7fefd2c0000 end_va = 0x7fefd42cfff monitored = 0 entry_point = 0x7fefd2c10b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2467 start_va = 0x7fefd270000 end_va = 0x7fefd27efff monitored = 0 entry_point = 0x7fefd271020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2468 start_va = 0x7fefd060000 end_va = 0x7fefd06afff monitored = 0 entry_point = 0x7fefd061030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2469 start_va = 0x7fefd090000 end_va = 0x7fefd0b4fff monitored = 0 entry_point = 0x7fefd099658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2470 start_va = 0x7feff060000 end_va = 0x7feff13afff monitored = 0 entry_point = 0x7feff080760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2471 start_va = 0x7feff1e0000 end_va = 0x7feff1fefff monitored = 0 entry_point = 0x7feff1e60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2472 start_va = 0x7feff2d0000 end_va = 0x7feff3a6fff monitored = 0 entry_point = 0x7feff2d3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2473 start_va = 0x7fefabb0000 end_va = 0x7fefabc7fff monitored = 0 entry_point = 0x7fefabb1010 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2474 start_va = 0x7fefacc0000 end_va = 0x7feface6fff monitored = 0 entry_point = 0x7fefacc98bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2475 start_va = 0x7fefed70000 end_va = 0x7fefed77fff monitored = 0 entry_point = 0x7fefed71504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2476 start_va = 0x7fefacb0000 end_va = 0x7fefacbafff monitored = 0 entry_point = 0x7fefacb1198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2477 start_va = 0x7fefb550000 end_va = 0x7fefb560fff monitored = 0 entry_point = 0x7fefb551070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2478 start_va = 0x7feff280000 end_va = 0x7feff2ccfff monitored = 0 entry_point = 0x7feff281070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2479 start_va = 0x1ec0000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ec0000" filename = "" Region: id = 2569 start_va = 0x2000000 end_va = 0x22cefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2611 start_va = 0x2430000 end_va = 0x252ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002430000" filename = "" Region: id = 2612 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2692 start_va = 0x1ec0000 end_va = 0x1f3cfff monitored = 0 entry_point = 0x1eccec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2693 start_va = 0x1f80000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 2694 start_va = 0x1ec0000 end_va = 0x1f3cfff monitored = 0 entry_point = 0x1eccec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2695 start_va = 0x7fefd0c0000 end_va = 0x7fefd0cefff monitored = 0 entry_point = 0x7fefd0c1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2762 start_va = 0x2580000 end_va = 0x267ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 2763 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 2767 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2768 start_va = 0x7feff140000 end_va = 0x7feff1d8fff monitored = 0 entry_point = 0x7feff141c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2769 start_va = 0x2f0000 end_va = 0x2f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 2770 start_va = 0x340000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 2771 start_va = 0x7fef9520000 end_va = 0x7fef952dfff monitored = 0 entry_point = 0x7fef9525500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2772 start_va = 0x7fef97c0000 end_va = 0x7fef9836fff monitored = 0 entry_point = 0x7fef97fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 2773 start_va = 0x7fefcc30000 end_va = 0x7fefcc51fff monitored = 0 entry_point = 0x7fefcc35d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2774 start_va = 0x2750000 end_va = 0x284ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 2775 start_va = 0x7fefcac0000 end_va = 0x7fefcad7fff monitored = 0 entry_point = 0x7fefcac3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2776 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2777 start_va = 0x1ec0000 end_va = 0x1f04fff monitored = 0 entry_point = 0x1ec1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2778 start_va = 0x1ec0000 end_va = 0x1f04fff monitored = 0 entry_point = 0x1ec1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2779 start_va = 0x1ec0000 end_va = 0x1f04fff monitored = 0 entry_point = 0x1ec1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2780 start_va = 0x1ec0000 end_va = 0x1f04fff monitored = 0 entry_point = 0x1ec1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2781 start_va = 0x1ec0000 end_va = 0x1f04fff monitored = 0 entry_point = 0x1ec1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2782 start_va = 0x7fefc7c0000 end_va = 0x7fefc806fff monitored = 0 entry_point = 0x7fefc7c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2784 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c3fff monitored = 0 entry_point = 0x7fefd1b10e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2797 start_va = 0x29c0000 end_va = 0x2abffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029c0000" filename = "" Region: id = 2798 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2799 start_va = 0x2880000 end_va = 0x297ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002880000" filename = "" Region: id = 2800 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2801 start_va = 0x7fef9240000 end_va = 0x7fef9252fff monitored = 0 entry_point = 0x7fef9241d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2802 start_va = 0x7fef9560000 end_va = 0x7fef9632fff monitored = 0 entry_point = 0x7fef95d8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2803 start_va = 0x7fef9530000 end_va = 0x7fef9556fff monitored = 0 entry_point = 0x7fef95311a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 2823 start_va = 0x300000 end_va = 0x302fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Thread: id = 46 os_tid = 0xe68 [0067.347] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efbb8 | out: lpSystemTimeAsFileTime=0x2efbb8*(dwLowDateTime=0x223c9ec0, dwHighDateTime=0x1d937fd)) [0067.347] GetCurrentThreadId () returned 0xe68 [0067.347] GetCurrentProcessId () returned 0xe8c [0067.347] QueryPerformanceCounter (in: lpPerformanceCount=0x2efbc0 | out: lpPerformanceCount=0x2efbc0*=3319779895396) returned 1 [0067.347] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0067.349] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0067.349] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0067.350] GetLastError () returned 0x7e [0067.350] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0067.350] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0067.350] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0067.351] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0067.351] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0067.351] GetProcessHeap () returned 0x80000 [0067.351] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0067.352] GetLastError () returned 0x7e [0067.352] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0067.352] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0067.352] GetLastError () returned 0x7e [0067.352] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0067.352] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0067.352] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x3c8) returned 0x9cfb0 [0067.352] SetLastError (dwErrCode=0x7e) [0067.352] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x1200) returned 0x9d380 [0067.354] GetStartupInfoW (in: lpStartupInfo=0x2efa90 | out: lpStartupInfo=0x2efa90*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x2efb18, hStdError=0x1)) [0067.354] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0067.354] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0067.354] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0067.354] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"DefaultInstall\"" [0067.355] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"DefaultInstall\"" [0067.355] GetACP () returned 0x4e4 [0067.355] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x228) returned 0x9ab90 [0067.355] IsValidCodePage (CodePage=0x4e4) returned 1 [0067.355] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2efa50 | out: lpCPInfo=0x2efa50) returned 1 [0067.355] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2ef2f0 | out: lpCPInfo=0x2ef2f0) returned 1 [0067.355] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ef310, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0067.355] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ef310, cbMultiByte=256, lpWideCharStr=0x2ef040, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0067.355] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x2ef610 | out: lpCharType=0x2ef610) returned 1 [0067.355] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ef310, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0067.355] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ef310, cbMultiByte=256, lpWideCharStr=0x2eefe0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0067.355] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0067.355] GetLastError () returned 0x7e [0067.355] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0067.356] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0067.356] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2eedd0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0067.356] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x2ef410, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«\x09", lpUsedDefaultChar=0x0) returned 256 [0067.356] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ef310, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0067.356] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ef310, cbMultiByte=256, lpWideCharStr=0x2eefe0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0067.356] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0067.356] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2eedd0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0067.356] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x2ef510, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0067.356] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x100) returned 0x9f590 [0067.356] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0067.356] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x19c) returned 0x9f6a0 [0067.356] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0067.356] GetLastError () returned 0x0 [0067.357] SetLastError (dwErrCode=0x0) [0067.357] GetEnvironmentStringsW () returned 0x9f850* [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0xb32) returned 0xa0390 [0067.357] FreeEnvironmentStringsW (penv=0x9f850) returned 1 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x128) returned 0x9f850 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x3e) returned 0x9afe0 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x56) returned 0x9adc0 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x62) returned 0xa0ed0 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x78) returned 0xa0f40 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x62) returned 0x9f980 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x30) returned 0x9e900 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x48) returned 0x9b030 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x28) returned 0x979a0 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x1a) returned 0x979d0 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x34) returned 0x9e940 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x5c) returned 0x9f9f0 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x32) returned 0x9e980 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x2e) returned 0x9e9c0 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x1c) returned 0x97a00 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x19c) returned 0x9fa60 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x7c) returned 0x9fc10 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x3a) returned 0x9b080 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x90) returned 0x9fca0 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x24) returned 0x97a30 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x30) returned 0x9ea00 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x36) returned 0x9ea40 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x3c) returned 0x9b0d0 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x52) returned 0x9fd40 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x3c) returned 0x9b120 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0xd6) returned 0x9fda0 [0067.357] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x2e) returned 0x9ea80 [0067.358] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x1e) returned 0x97a60 [0067.358] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x2c) returned 0x9eac0 [0067.358] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x54) returned 0x9fe80 [0067.358] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x52) returned 0x9fee0 [0067.358] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x2c) returned 0x9eb00 [0067.358] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x26) returned 0x97a90 [0067.358] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x3e) returned 0x9b170 [0067.358] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x24) returned 0x97ac0 [0067.358] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x30) returned 0x9eb40 [0067.358] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x8c) returned 0x9ff40 [0067.358] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa0390 | out: hHeap=0x80000) returned 1 [0067.358] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x1000) returned 0xa0fd0 [0067.359] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0067.359] GetStartupInfoW (in: lpStartupInfo=0x2efb20 | out: lpStartupInfo=0x2efb20*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0067.359] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"DefaultInstall\"" [0067.359] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"DefaultInstall\"", pNumArgs=0x2efaf0 | out: pNumArgs=0x2efaf0) returned 0xa0460*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0067.359] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0067.366] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x1000) returned 0xa40c0 [0067.366] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x16) returned 0xa0ea0 [0067.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Cpurthnvlc", cchWideChar=-1, lpMultiByteStr=0xa0ea0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Cpurthnvlc", lpUsedDefaultChar=0x0) returned 11 [0067.366] GetLastError () returned 0x0 [0067.366] SetLastError (dwErrCode=0x0) [0067.366] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="CpurthnvlcW") returned 0x0 [0067.366] GetLastError () returned 0x7f [0067.366] SetLastError (dwErrCode=0x7f) [0067.366] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="CpurthnvlcA") returned 0x0 [0067.367] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="Cpurthnvlc") returned 0x7fef2ea5970 [0067.367] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x1e) returned 0x97b50 [0067.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="DefaultInstall", cchWideChar=-1, lpMultiByteStr=0x97b50, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefaultInstall", lpUsedDefaultChar=0x0) returned 15 [0067.367] GetActiveWindow () returned 0x0 [0098.671] VirtualAlloc (lpAddress=0x0, dwSize=0x7e000, flAllocationType=0x3000, flProtect=0x40) returned 0x1b70000 [0098.880] GetProcAddress (hModule=0x77160000, lpProcName="ExitProcess") returned 0x772a40f0 [0098.881] GetProcAddress (hModule=0x77160000, lpProcName="LoadLibraryW") returned 0x77176420 [0098.881] LoadLibraryW (lpLibFileName="ntdll.dll") returned 0x77280000 [0098.881] GetProcAddress (hModule=0x77280000, lpProcName="NtMapViewOfSection") returned 0x772d1590 [0098.881] GetProcAddress (hModule=0x77280000, lpProcName="NtOpenFile") returned 0x772d1640 [0098.881] GetProcAddress (hModule=0x77280000, lpProcName="NtOpenSection") returned 0x772d1680 [0098.881] GetProcAddress (hModule=0x77280000, lpProcName="NtCreateSection") returned 0x772d17b0 [0098.881] GetProcAddress (hModule=0x77160000, lpProcName="VirtualProtect") returned 0x771629f0 [0098.881] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentThreadId") returned 0x77173380 [0098.881] GetProcAddress (hModule=0x77160000, lpProcName="GetModuleFileNameA") returned 0x77175940 [0098.881] GetProcAddress (hModule=0x77160000, lpProcName="VirtualAlloc") returned 0x77175c40 [0098.881] GetProcAddress (hModule=0x77160000, lpProcName="GetProcessHeap") returned 0x77181a30 [0098.882] GetProcAddress (hModule=0x77160000, lpProcName="HeapAlloc") returned 0x772d33a0 [0098.882] GetProcAddress (hModule=0x77160000, lpProcName="HeapFree") returned 0x77181a50 [0098.882] GetModuleFileNameA (in: hModule=0x7fef2ea0000, lpFilename=0x2ef7f0, nSize=0x104 | out: lpFilename="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll")) returned 0x62 [0098.882] VirtualAlloc (lpAddress=0x0, dwSize=0x158000, flAllocationType=0x3000, flProtect=0x4) returned 0x1bf0000 [0099.199] GetProcessHeap () returned 0x80000 [0099.199] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x3f80) returned 0xa50d0 [0099.607] GetProcessHeap () returned 0x80000 [0099.607] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa50d0 | out: hHeap=0x80000) returned 1 [0099.607] GetCurrentThreadId () returned 0xe68 [0099.607] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2ef6b4 | out: lpflOldProtect=0x2ef6b4*=0x20) returned 1 [0099.608] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2ef6b4 | out: lpflOldProtect=0x2ef6b4*=0x40) returned 1 [0099.608] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2ef6b4 | out: lpflOldProtect=0x2ef6b4*=0x20) returned 1 [0099.608] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2ef6b4 | out: lpflOldProtect=0x2ef6b4*=0x40) returned 1 [0099.609] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2ef6b4 | out: lpflOldProtect=0x2ef6b4*=0x20) returned 1 [0099.609] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2ef6b4 | out: lpflOldProtect=0x2ef6b4*=0x40) returned 1 [0099.609] LoadLibraryW (lpLibFileName="gdiplus.dll") returned 0x1d50000 [0099.610] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2ee524 | out: lpflOldProtect=0x2ee524*=0x20) returned 1 [0099.610] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2ee524 | out: lpflOldProtect=0x2ee524*=0x40) returned 1 [0099.610] NtOpenFile (in: FileHandle=0x2ee608, DesiredAccess=0x100020, ObjectAttributes=0x2ee658*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x2ee688, ShareAccess=0x3, OpenOptions=0x21 | out: FileHandle=0x2ee608*=0x70, IoStatusBlock=0x2ee688*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0100.031] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2ee524 | out: lpflOldProtect=0x2ee524*=0x20) returned 1 [0100.031] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2ee524 | out: lpflOldProtect=0x2ee524*=0x40) returned 1 [0100.032] GetCurrentThreadId () returned 0xe68 [0100.032] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2ef1f4 | out: lpflOldProtect=0x2ef1f4*=0x20) returned 1 [0100.032] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2ef1f4 | out: lpflOldProtect=0x2ef1f4*=0x40) returned 1 [0100.032] NtOpenFile (in: FileHandle=0x2ef2c0, DesiredAccess=0x100021, ObjectAttributes=0x2ef378*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x2ef3a8, ShareAccess=0x5, OpenOptions=0x60 | out: FileHandle=0x2ef2c0*=0x74, IoStatusBlock=0x2ef3a8*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0100.032] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2ef1e4 | out: lpflOldProtect=0x2ef1e4*=0x20) returned 1 [0100.033] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2ef1e4 | out: lpflOldProtect=0x2ef1e4*=0x40) returned 1 [0100.033] GetCurrentThreadId () returned 0xe68 [0100.033] NtCreateSection (in: SectionHandle=0x2ef2c8, DesiredAccess=0xf, ObjectAttributes=0x0, MaximumSize=0x0, SectionPageProtection=0x10, AllocationAttributes=0x1000000, FileHandle=0x74 | out: SectionHandle=0x2ef2c8*=0x78) returned 0x0 [0100.033] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2ef074 | out: lpflOldProtect=0x2ef074*=0x20) returned 1 [0100.034] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2ef074 | out: lpflOldProtect=0x2ef074*=0x40) returned 1 [0100.034] GetCurrentThreadId () returned 0xe68 [0100.034] NtCreateSection (in: SectionHandle=0x2ef158, DesiredAccess=0xe, ObjectAttributes=0x0, MaximumSize=0x2ef150, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x2ef158*=0x7c) returned 0x0 [0100.034] NtMapViewOfSection (in: SectionHandle=0x7c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x2ef0f8*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x2ef318*=0x0, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x2ef0f8*=0x1d50000, SectionOffset=0x0, ViewSize=0x2ef318*=0x161000) returned 0x0 [0100.773] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ef1f8 | out: lpSystemTimeAsFileTime=0x2ef1f8*(dwLowDateTime=0x317bf0c0, dwHighDateTime=0x1d937fd)) [0100.773] GetCurrentThreadId () returned 0xe68 [0100.774] GetCurrentProcessId () returned 0xe8c [0100.774] QueryPerformanceCounter (in: lpPerformanceCount=0x2ef200 | out: lpPerformanceCount=0x2ef200*=3323505679012) returned 1 [0101.452] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0101.453] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0101.454] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0101.454] GetLastError () returned 0x7e [0101.454] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0101.454] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0101.475] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0102.861] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0102.861] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0102.874] GetProcessHeap () returned 0x80000 [0102.890] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0102.891] GetLastError () returned 0x7e [0102.891] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0102.891] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0102.891] GetLastError () returned 0x7e [0102.891] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0103.220] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x3c8) returned 0xb1aa0 [0103.220] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0103.241] SetLastError (dwErrCode=0x7e) [0103.699] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x1000) returned 0xb1e70 [0103.701] GetStartupInfoW (in: lpStartupInfo=0x2ef080 | out: lpStartupInfo=0x2ef080*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x1)) [0103.701] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0103.701] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0103.701] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0103.724] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"DefaultInstall\"" [0103.724] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"DefaultInstall\"" [0104.195] GetLastError () returned 0x7e [0104.195] SetLastError (dwErrCode=0x7e) [0104.195] GetLastError () returned 0x7e [0104.196] SetLastError (dwErrCode=0x7e) [0104.196] GetACP () returned 0x4e4 [0104.196] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x228) returned 0xb3e80 [0104.196] IsValidCodePage (CodePage=0x4e4) returned 1 [0104.196] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2ef050 | out: lpCPInfo=0x2ef050) returned 1 [0104.218] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2ee8f0 | out: lpCPInfo=0x2ee8f0) returned 1 [0104.218] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ee910, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0104.218] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ee910, cbMultiByte=256, lpWideCharStr=0x2ee640, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ\x08") returned 256 [0104.218] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ\x08", cchSrc=256, lpCharType=0x2eec10 | out: lpCharType=0x2eec10) returned 1 [0104.610] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ee910, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0104.611] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ee910, cbMultiByte=256, lpWideCharStr=0x2ee5e0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0104.611] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0104.611] GetLastError () returned 0x7e [0104.611] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0104.611] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0104.611] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2ee3d0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0104.611] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x2eea10, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿX\x01\x08", lpUsedDefaultChar=0x0) returned 256 [0104.611] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ee910, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0104.612] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ee910, cbMultiByte=256, lpWideCharStr=0x2ee5e0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0104.612] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0104.612] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2ee3d0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0104.612] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x2eeb10, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0104.612] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x100) returned 0xb40b0 [0104.612] RtlInitializeSListHead (in: ListHead=0x1e98410 | out: ListHead=0x1e98410) [0104.998] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77160000 [0104.998] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0104.998] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0104.998] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0104.998] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0104.999] GetProcAddress (hModule=0x77160000, lpProcName="InitializeCriticalSectionEx") returned 0x77176e50 [0104.999] GetProcAddress (hModule=0x77160000, lpProcName="InitOnceExecuteOnce") returned 0x77165d60 [0104.999] GetProcAddress (hModule=0x77160000, lpProcName="CreateEventExW") returned 0x771ac970 [0104.999] GetProcAddress (hModule=0x77160000, lpProcName="CreateSemaphoreW") returned 0x77168e00 [0104.999] GetProcAddress (hModule=0x77160000, lpProcName="CreateSemaphoreExW") returned 0x771ac8a0 [0104.999] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolTimer") returned 0x77167e90 [0104.999] GetProcAddress (hModule=0x77160000, lpProcName="SetThreadpoolTimer") returned 0x7729b2f0 [0105.000] GetProcAddress (hModule=0x77160000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x7728d8c0 [0105.000] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolTimer") returned 0x7728d620 [0105.000] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolWait") returned 0x771abe60 [0105.000] GetProcAddress (hModule=0x77160000, lpProcName="SetThreadpoolWait") returned 0x7729e170 [0105.000] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolWait") returned 0x7728c540 [0105.001] GetProcAddress (hModule=0x77160000, lpProcName="FlushProcessWriteBuffers") returned 0x772d1f80 [0105.001] GetProcAddress (hModule=0x77160000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x7734ec60 [0105.001] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentProcessorNumber") returned 0x772d0040 [0105.001] GetProcAddress (hModule=0x77160000, lpProcName="CreateSymbolicLinkW") returned 0x771d5af0 [0105.001] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentPackageId") returned 0x0 [0105.002] GetProcAddress (hModule=0x77160000, lpProcName="GetTickCount64") returned 0x77168ac0 [0105.002] GetProcAddress (hModule=0x77160000, lpProcName="GetFileInformationByHandleEx") returned 0x771712f0 [0105.002] GetProcAddress (hModule=0x77160000, lpProcName="SetFileInformationByHandle") returned 0x771ac120 [0105.002] GetProcAddress (hModule=0x77160000, lpProcName="GetSystemTimePreciseAsFileTime") returned 0x0 [0105.002] GetProcAddress (hModule=0x77160000, lpProcName="InitializeConditionVariable") returned 0x772b84f0 [0105.003] GetProcAddress (hModule=0x77160000, lpProcName="WakeConditionVariable") returned 0x7733bab0 [0105.003] GetProcAddress (hModule=0x77160000, lpProcName="WakeAllConditionVariable") returned 0x772a00b0 [0105.003] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableCS") returned 0x771ab610 [0105.003] GetProcAddress (hModule=0x77160000, lpProcName="InitializeSRWLock") returned 0x772b84f0 [0105.003] GetProcAddress (hModule=0x77160000, lpProcName="AcquireSRWLockExclusive") returned 0x772a8020 [0105.004] GetProcAddress (hModule=0x77160000, lpProcName="TryAcquireSRWLockExclusive") returned 0x7732bdd0 [0105.004] GetProcAddress (hModule=0x77160000, lpProcName="ReleaseSRWLockExclusive") returned 0x772a8050 [0105.004] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableSRW") returned 0x771ab5c0 [0105.004] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolWork") returned 0x77165d30 [0105.004] GetProcAddress (hModule=0x77160000, lpProcName="SubmitThreadpoolWork") returned 0x77292330 [0105.004] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolWork") returned 0x772921f0 [0105.005] GetProcAddress (hModule=0x77160000, lpProcName="CompareStringEx") returned 0x771abd60 [0105.005] GetProcAddress (hModule=0x77160000, lpProcName="GetLocaleInfoEx") returned 0x771635e0 [0105.005] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0105.005] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77160000 [0105.008] GetProcAddress (hModule=0x77160000, lpProcName="InitializeConditionVariable") returned 0x772b84f0 [0105.009] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableCS") returned 0x771ab610 [0105.009] GetProcAddress (hModule=0x77160000, lpProcName="WakeAllConditionVariable") returned 0x772a00b0 [0105.009] RtlInitializeConditionVariable () returned 0x772a00b0 [0105.024] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x1000) returned 0xb41c0 [0105.228] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x1e98fb0, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0105.228] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0xe2) returned 0xa2f00 [0105.228] GetEnvironmentStringsW () returned 0xb51d0* [0105.229] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1433, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1433 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x599) returned 0xb5d10 [0105.229] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1433, lpMultiByteStr=0xb5d10, cbMultiByte=1433, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1433 [0105.229] FreeEnvironmentStringsW (penv=0xb51d0) returned 1 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x128) returned 0xb51d0 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x1f) returned 0xa5ca0 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x2b) returned 0xb3770 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x31) returned 0xb37b0 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x3c) returned 0xb00e0 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x31) returned 0xb37f0 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x18) returned 0xb5300 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x24) returned 0xa5cd0 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x14) returned 0xb5320 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0xd) returned 0xb5340 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x1a) returned 0xa5d00 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x2e) returned 0xb3830 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x19) returned 0xa5d30 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x17) returned 0xb5360 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0xe) returned 0xb5380 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0xce) returned 0xb53a0 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x3e) returned 0xb0130 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x1d) returned 0xa5d60 [0105.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x48) returned 0xb0180 [0105.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x12) returned 0xb5480 [0105.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x18) returned 0xb54a0 [0105.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x1b) returned 0xa5d90 [0105.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x1e) returned 0xa5dc0 [0105.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x29) returned 0xb3870 [0105.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x1e) returned 0xa5df0 [0105.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x6b) returned 0xabde0 [0105.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x17) returned 0xb54c0 [0105.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0xf) returned 0xb54e0 [0105.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x16) returned 0xb5500 [0105.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x2a) returned 0xb38b0 [0105.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x29) returned 0xb38f0 [0105.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x16) returned 0xb5520 [0105.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x13) returned 0xb62f0 [0105.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x1f) returned 0xa5e20 [0105.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x12) returned 0xb6310 [0105.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x18) returned 0xb6330 [0105.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x46) returned 0xb01d0 [0105.231] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb5d10 | out: hHeap=0x80000) returned 1 [0105.522] GetCurrentThread () returned 0xfffffffffffffffe [0105.522] GetThreadTimes (in: hThread=0xfffffffffffffffe, lpCreationTime=0x2ef138, lpExitTime=0x2ef130, lpKernelTime=0x2ef130, lpUserTime=0x2ef130 | out: lpCreationTime=0x2ef138, lpExitTime=0x2ef130, lpKernelTime=0x2ef130, lpUserTime=0x2ef130) returned 1 [0105.522] RtlInitializeSListHead (in: ListHead=0x1e98aa0 | out: ListHead=0x1e98aa0) [0105.863] RtlPcToFileHeader (in: PcValue=0x1e7fef8, BaseOfImage=0x2ef060 | out: BaseOfImage=0x2ef060*=0x1d50000) returned 0x1d50000 [0106.532] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x50) returned 0xb6ac0 [0106.533] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x98 [0106.533] RtlWakeAllConditionVariable () returned 0x772a00b0 [0106.546] RtlWakeAllConditionVariable () returned 0x772a00b0 [0106.546] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x2eefb0 | out: lpWSAData=0x2eefb0) returned 0 [0106.998] RtlWakeAllConditionVariable () returned 0x772a00b0 [0106.999] RtlWakeAllConditionVariable () returned 0x772a00b0 [0107.233] RtlSizeHeap (HeapHandle=0x80000, Flags=0x0, MemoryPointer=0xb40b0) returned 0x100 [0107.233] RtlReAllocateHeap (Heap=0x80000, Flags=0x0, Ptr=0xb40b0, Size=0x200) returned 0xb5540 [0107.247] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77280000 [0107.247] GetProcAddress (hModule=0x77280000, lpProcName="NtCreateThreadEx") returned 0x772d1d90 [0107.247] GetProcAddress (hModule=0x77280000, lpProcName="RtlNewSecurityObjectWithMultipleInheritance") returned 0x77364540 [0107.247] GetCurrentProcess () returned 0xffffffffffffffff [0107.247] NtCreateThreadEx (in: ThreadHandle=0x1e99890, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffffffffffff, lpStartAddress=0x77364540, lpParameter=0x0, CreateSuspended=1, StackZeroBits=0x0, SizeOfStackCommit=0x0, SizeOfStackReserve=0x0, lpBytesBuffer=0x0 | out: ThreadHandle=0x1e99890*=0xb0, lpBytesBuffer=0x0) returned 0x0 [0107.248] GetThreadContext (in: hThread=0xb0, lpContext=0x2eece0 | out: lpContext=0x2eece0*(P1Home=0xb6ec0, P2Home=0x30, P3Home=0x10, P4Home=0x7fefd4d30f5, P5Home=0x21, P6Home=0x0, ContextFlags=0x10000b, MxCsr=0x1f80, SegCs=0x33, SegDs=0xb, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x200, Dr0=0x0, Dr1=0xb40b0, Dr2=0x772d3488, Dr3=0x80230, Dr6=0x80388, Dr7=0xe00fa0001, Rax=0x0, Rcx=0x77364540, Rdx=0x0, Rbx=0x0, Rsp=0x252fa38, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x772ac500, FltSave.ControlWord=0x27f, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x1f80, FltSave.MxCsr_Mask=0xffff, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x27f, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0xb40b0, VectorRegister.High=0xb40b0, VectorControl=0x0, DebugControl=0x1dd7129, LastBranchToRip=0x0, LastBranchFromRip=0x2ef698, LastExceptionToRip=0x0, LastExceptionFromRip=0x1)) returned 1 [0107.431] SetThreadContext (hThread=0xb0, lpContext=0x2eece0*(P1Home=0xb6ec0, P2Home=0x30, P3Home=0x10, P4Home=0x7fefd4d30f5, P5Home=0x21, P6Home=0x0, ContextFlags=0x10000b, MxCsr=0x1f80, SegCs=0x33, SegDs=0xb, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x200, Dr0=0x0, Dr1=0xb40b0, Dr2=0x772d3488, Dr3=0x80230, Dr6=0x80388, Dr7=0xe00fa0001, Rax=0x0, Rcx=0x1d6365c, Rdx=0x0, Rbx=0x0, Rsp=0x252fa38, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x772ac500, FltSave.ControlWord=0x27f, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x1f80, FltSave.MxCsr_Mask=0xffff, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x27f, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0xb40b0, VectorRegister.High=0xb40b0, VectorControl=0x0, DebugControl=0x1dd7129, LastBranchToRip=0x0, LastBranchFromRip=0x2ef698, LastExceptionToRip=0x0, LastExceptionFromRip=0x1)) returned 1 [0107.445] ResumeThread (hThread=0xb0) returned 0x1 [0107.451] GetProcAddress (hModule=0x1d50000, lpProcName="setPath") returned 0x1d64604 [0107.451] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x70) returned 0xabe60 [0107.451] SetEvent (hEvent=0x98) returned 1 [0107.466] WaitForSingleObject (hHandle=0xb0, dwMilliseconds=0xffffffff) returned 0x0 [0127.179] RtlExitUserProcess (ExitCode=0x0) [0127.184] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0x9cfb0 | out: hHeap=0x80000) returned 1 [0127.364] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb1aa0 | out: hHeap=0x80000) returned 1 [0127.725] WSACleanup () returned 0 [0127.990] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xabe60 | out: hHeap=0x80000) returned 1 [0127.991] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6ac0 | out: hHeap=0x80000) returned 1 [0128.163] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb9680 | out: hHeap=0x80000) returned 1 [0128.164] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb83f0 | out: hHeap=0x80000) returned 1 [0128.165] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6370 | out: hHeap=0x80000) returned 1 [0128.165] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb61b0 | out: hHeap=0x80000) returned 1 [0128.166] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb3e30 | out: hHeap=0x80000) returned 1 [0128.184] RtlInterlockedFlushSList (in: ListHead=0x1e98410 | out: ListHead=0x1e98410) returned 0x0 [0128.184] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb5540 | out: hHeap=0x80000) returned 1 [0128.417] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb41c0 | out: hHeap=0x80000) returned 1 [0128.417] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0128.418] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xd50e0 | out: hHeap=0x80000) returned 1 [0128.419] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xe2f90 | out: hHeap=0x80000) returned 1 [0128.420] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb61d0 | out: hHeap=0x80000) returned 1 [0128.420] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb93c0 | out: hHeap=0x80000) returned 1 [0128.420] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xe6bf0 | out: hHeap=0x80000) returned 1 [0128.510] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0128.510] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xabfe0 | out: hHeap=0x80000) returned 1 [0128.511] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xac060 | out: hHeap=0x80000) returned 1 [0128.512] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xac0e0 | out: hHeap=0x80000) returned 1 [0128.541] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5ca0 | out: hHeap=0x80000) returned 1 [0128.541] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb3770 | out: hHeap=0x80000) returned 1 [0128.542] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb37b0 | out: hHeap=0x80000) returned 1 [0128.542] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb00e0 | out: hHeap=0x80000) returned 1 [0128.543] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb37f0 | out: hHeap=0x80000) returned 1 [0128.543] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb5300 | out: hHeap=0x80000) returned 1 [0128.597] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5cd0 | out: hHeap=0x80000) returned 1 [0128.598] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb5320 | out: hHeap=0x80000) returned 1 [0128.598] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb5340 | out: hHeap=0x80000) returned 1 [0128.598] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5d00 | out: hHeap=0x80000) returned 1 [0128.599] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb3830 | out: hHeap=0x80000) returned 1 [0128.599] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5d30 | out: hHeap=0x80000) returned 1 [0128.599] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb5360 | out: hHeap=0x80000) returned 1 [0128.599] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb5380 | out: hHeap=0x80000) returned 1 [0128.599] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb53a0 | out: hHeap=0x80000) returned 1 [0128.600] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0130 | out: hHeap=0x80000) returned 1 [0128.600] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5d60 | out: hHeap=0x80000) returned 1 [0128.600] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0180 | out: hHeap=0x80000) returned 1 [0128.601] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb5480 | out: hHeap=0x80000) returned 1 [0128.601] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb54a0 | out: hHeap=0x80000) returned 1 [0128.601] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5d90 | out: hHeap=0x80000) returned 1 [0128.601] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5dc0 | out: hHeap=0x80000) returned 1 [0128.601] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb3870 | out: hHeap=0x80000) returned 1 [0128.601] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5df0 | out: hHeap=0x80000) returned 1 [0128.601] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xabde0 | out: hHeap=0x80000) returned 1 [0128.601] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb54c0 | out: hHeap=0x80000) returned 1 [0128.601] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb54e0 | out: hHeap=0x80000) returned 1 [0128.602] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb5500 | out: hHeap=0x80000) returned 1 [0128.602] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb38b0 | out: hHeap=0x80000) returned 1 [0128.602] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb38f0 | out: hHeap=0x80000) returned 1 [0128.602] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb5520 | out: hHeap=0x80000) returned 1 [0128.602] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb62f0 | out: hHeap=0x80000) returned 1 [0128.602] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5e20 | out: hHeap=0x80000) returned 1 [0128.602] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6310 | out: hHeap=0x80000) returned 1 [0128.602] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6330 | out: hHeap=0x80000) returned 1 [0128.603] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb01d0 | out: hHeap=0x80000) returned 1 [0128.603] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb51d0 | out: hHeap=0x80000) returned 1 [0128.604] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb3e80 | out: hHeap=0x80000) returned 1 [0128.604] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa2f00 | out: hHeap=0x80000) returned 1 [0128.628] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb1e70 | out: hHeap=0x80000) returned 1 [0128.628] FreeLibrary (hLibModule=0x7fefa010000) returned 1 [0128.628] FreeLibrary (hLibModule=0x77160000) returned 1 [0128.774] FreeLibrary (hLibModule=0x7fefa010000) returned 1 [0128.774] FreeLibrary (hLibModule=0x77160000) returned 1 Thread: id = 155 os_tid = 0x850 [0107.467] GetLastError () returned 0x57 [0107.467] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0107.467] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x78) returned 0xabee0 [0107.467] SetLastError (dwErrCode=0x57) [0107.467] GetLastError () returned 0x57 [0107.467] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x3c8) returned 0xb5b70 [0107.467] SetLastError (dwErrCode=0x57) [0107.481] LoadLibraryExW (lpLibFileName="api-ms-win-core-sysinfo-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0107.482] GetLastError () returned 0x7e [0107.482] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x252f4c0 | out: lpSystemTimeAsFileTime=0x252f4c0*(dwLowDateTime=0x35210bc0, dwHighDateTime=0x1d937fd)) [0107.482] GetLastError () returned 0x7e [0107.482] SetLastError (dwErrCode=0x7e) [0107.482] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0107.482] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x70) returned 0xabf60 [0107.701] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x260) returned 0xb5f40 [0108.060] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0108.314] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x38) returned 0xb3e30 [0108.592] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x2) returned 0xb61b0 [0108.624] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb61b0 | out: hHeap=0x80000) returned 1 [0108.624] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x2) returned 0xb61b0 [0108.903] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x30) returned 0xb83f0 [0109.194] GetLastError () returned 0x7e [0109.214] SetLastError (dwErrCode=0x7e) [0109.465] GetLastError () returned 0x7e [0109.465] SetLastError (dwErrCode=0x7e) [0109.856] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x158) returned 0xb93c0 [0109.857] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x6a6) returned 0xb9520 [0109.857] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb9520 | out: hHeap=0x80000) returned 1 [0109.857] GetLastError () returned 0x7e [0109.857] SetLastError (dwErrCode=0x7e) [0109.883] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x6) returned 0xb61d0 [0109.883] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x2) returned 0xb61f0 [0110.079] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x4) returned 0xb6210 [0110.079] GetLastError () returned 0x7e [0110.079] SetLastError (dwErrCode=0x7e) [0110.079] GetLastError () returned 0x7e [0110.079] SetLastError (dwErrCode=0x7e) [0110.079] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x158) returned 0xb9520 [0110.079] GetLastError () returned 0x7e [0110.079] SetLastError (dwErrCode=0x7e) [0110.260] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x6a6) returned 0xb9680 [0110.261] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb9680 | out: hHeap=0x80000) returned 1 [0110.261] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb61d0 | out: hHeap=0x80000) returned 1 [0110.262] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb93c0 | out: hHeap=0x80000) returned 1 [0110.262] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6210 | out: hHeap=0x80000) returned 1 [0110.262] GetLastError () returned 0x7e [0110.262] SetLastError (dwErrCode=0x7e) [0110.262] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x6) returned 0xb61d0 [0110.262] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x2) returned 0xb6210 [0110.262] GetLastError () returned 0x7e [0110.262] SetLastError (dwErrCode=0x7e) [0110.262] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x200) returned 0xb9680 [0110.262] GetLastError () returned 0x7e [0110.262] SetLastError (dwErrCode=0x7e) [0110.262] GetLastError () returned 0x7e [0110.262] SetLastError (dwErrCode=0x7e) [0110.262] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x4) returned 0xb6230 [0110.262] GetLastError () returned 0x7e [0110.262] SetLastError (dwErrCode=0x7e) [0110.262] GetLastError () returned 0x7e [0110.262] SetLastError (dwErrCode=0x7e) [0110.262] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x158) returned 0xb93c0 [0110.263] GetLastError () returned 0x7e [0110.263] SetLastError (dwErrCode=0x7e) [0110.263] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x6a6) returned 0xb9890 [0110.263] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb9890 | out: hHeap=0x80000) returned 1 [0110.263] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb61d0 | out: hHeap=0x80000) returned 1 [0110.264] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb9520 | out: hHeap=0x80000) returned 1 [0110.264] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6230 | out: hHeap=0x80000) returned 1 [0110.264] GetLastError () returned 0x7e [0110.264] SetLastError (dwErrCode=0x7e) [0110.264] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x6) returned 0xb61d0 [0110.264] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6210 | out: hHeap=0x80000) returned 1 [0110.264] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb61f0 | out: hHeap=0x80000) returned 1 [0110.264] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6370 [0110.264] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0110.264] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x25a) returned 0xb9890 [0110.573] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0110.978] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5ee0 [0110.978] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5f10 [0110.978] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0110.999] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5ee0 | out: hHeap=0x80000) returned 1 [0110.999] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5ee0 [0111.000] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x60) returned 0xad600 [0111.000] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.000] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x80) returned 0xb61f0 [0111.000] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xad600 | out: hHeap=0x80000) returned 1 [0111.000] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5f40 [0111.001] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0xc0) returned 0xb40b0 [0111.001] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb61f0 | out: hHeap=0x80000) returned 1 [0111.001] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5f70 [0111.001] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5fa0 [0111.001] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x120) returned 0xb9520 [0111.001] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb40b0 | out: hHeap=0x80000) returned 1 [0111.001] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5fd0 [0111.001] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa6000 [0111.002] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x1a0) returned 0xb9b00 [0111.002] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb9520 | out: hHeap=0x80000) returned 1 [0111.002] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa6030 [0111.002] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa6060 [0111.002] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa6090 [0111.002] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa60c0 [0111.002] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x260) returned 0xb9cb0 [0111.003] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb9b00 | out: hHeap=0x80000) returned 1 [0111.003] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa60f0 [0111.003] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa6120 [0111.003] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa6150 [0111.003] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa6180 [0111.003] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xb9f50 [0111.004] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xb9f80 [0111.004] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x380) returned 0xbab20 [0111.004] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb9cb0 | out: hHeap=0x80000) returned 1 [0111.004] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xb9fb0 [0111.004] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xb9fe0 [0111.004] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xba010 [0111.004] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xba040 [0111.004] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xba070 [0111.004] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xba0a0 [0111.004] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xba0d0 [0111.004] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xba100 [0111.004] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xba130 [0111.005] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x540) returned 0xbaeb0 [0111.005] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xbab20 | out: hHeap=0x80000) returned 1 [0111.005] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xba160 [0111.005] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xba190 [0111.005] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xba1c0 [0111.005] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xba1f0 [0111.005] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xba220 [0111.006] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.006] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb9890 | out: hHeap=0x80000) returned 1 [0111.006] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.006] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.228] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.228] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.228] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x12) returned 0xb63b0 [0111.228] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.228] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.229] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.229] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.229] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.229] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0270 [0111.229] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.229] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x11) returned 0xb63b0 [0111.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.230] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.230] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.230] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.230] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.230] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x80) returned 0xb61f0 [0111.231] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0270 | out: hHeap=0x80000) returned 1 [0111.231] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.231] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.231] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.231] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0xf) returned 0xb63b0 [0111.231] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.231] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.232] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.232] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.232] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.232] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.232] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0xc0) returned 0xb40b0 [0111.232] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb61f0 | out: hHeap=0x80000) returned 1 [0111.233] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.233] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.233] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.233] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb63b0 [0111.233] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.233] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.234] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.234] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.234] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.234] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.234] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x100) returned 0xb9520 [0111.234] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb40b0 | out: hHeap=0x80000) returned 1 [0111.234] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.235] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.235] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.235] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x13) returned 0xb63b0 [0111.235] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.235] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.235] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.235] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.235] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.235] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.235] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x180) returned 0xbab20 [0111.236] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb9520 | out: hHeap=0x80000) returned 1 [0111.236] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.236] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.236] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.237] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x12) returned 0xb63b0 [0111.237] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.237] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.237] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.237] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.237] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.237] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.238] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.238] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.238] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.238] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb63b0 [0111.238] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.238] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.238] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.238] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.238] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.238] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.238] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x240) returned 0xb9890 [0111.239] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xbab20 | out: hHeap=0x80000) returned 1 [0111.239] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.239] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.239] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.240] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0xe) returned 0xb63b0 [0111.240] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.240] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.240] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.240] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.240] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.240] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.241] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.241] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.241] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.241] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x12) returned 0xb63b0 [0111.241] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.241] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.241] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.241] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.241] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.241] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.242] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.242] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.242] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.242] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x11) returned 0xb63b0 [0111.242] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.242] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.243] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.243] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.243] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.243] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.243] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x340) returned 0xbab20 [0111.243] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb9890 | out: hHeap=0x80000) returned 1 [0111.244] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.244] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.244] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.244] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x13) returned 0xb63b0 [0111.244] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.244] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.244] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.244] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.244] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.244] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.245] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.245] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.245] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.245] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x12) returned 0xb63b0 [0111.245] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.245] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.246] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.246] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.246] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.246] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.246] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.246] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.246] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.246] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x13) returned 0xb63b0 [0111.246] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.247] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.247] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.247] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.247] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.247] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.247] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.247] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.248] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.248] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x12) returned 0xb63b0 [0111.248] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.248] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.248] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.248] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.248] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.248] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.248] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x4c0) returned 0xb9890 [0111.249] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xbab20 | out: hHeap=0x80000) returned 1 [0111.249] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.249] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.249] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.250] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x11) returned 0xb63b0 [0111.250] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.250] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.250] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.250] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.250] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.250] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.251] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.251] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.251] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.251] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x12) returned 0xb63b0 [0111.251] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.251] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.251] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.251] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.251] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.251] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.252] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.252] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.252] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.252] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb63b0 [0111.252] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.252] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.253] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.253] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.253] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.253] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.253] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.253] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.253] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.253] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb63b0 [0111.253] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.254] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.254] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.254] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.254] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.254] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.254] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.254] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.255] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.255] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x11) returned 0xb63b0 [0111.255] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.255] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.255] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.255] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.255] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.255] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.256] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.256] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.256] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.256] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x11) returned 0xb63b0 [0111.256] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.256] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.256] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.256] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.256] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.256] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.257] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x700) returned 0xbb400 [0111.257] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb9890 | out: hHeap=0x80000) returned 1 [0111.258] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.258] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.258] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.258] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x12) returned 0xb63b0 [0111.258] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.258] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.259] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.535] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.535] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.535] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.536] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.536] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.536] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.536] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x11) returned 0xb63b0 [0111.536] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.536] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.537] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.537] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.537] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.537] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.537] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.537] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.537] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.537] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x11) returned 0xb63b0 [0111.537] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.537] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.538] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.538] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.538] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.538] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.538] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.538] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.538] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.539] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x12) returned 0xb63b0 [0111.539] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.539] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.539] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.539] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.539] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.539] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.540] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.540] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.540] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.540] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x11) returned 0xb63b0 [0111.540] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.540] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.540] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.541] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.541] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.541] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.541] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.541] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.542] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.542] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb63b0 [0111.542] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.542] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.542] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.542] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.542] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.542] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.543] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.543] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.543] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.543] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x12) returned 0xb63b0 [0111.543] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.543] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.544] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.544] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.544] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.544] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.545] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.545] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.545] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.545] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x11) returned 0xb63b0 [0111.545] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.545] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.545] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.546] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.546] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.546] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.546] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.546] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.546] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.546] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x13) returned 0xb63b0 [0111.547] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.547] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.547] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.547] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.547] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.547] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.547] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0xa80) returned 0xbbb10 [0111.548] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xbb400 | out: hHeap=0x80000) returned 1 [0111.549] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.549] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.549] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.549] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb63b0 [0111.549] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.549] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.549] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.550] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.550] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.550] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.550] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.550] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.550] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.550] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x11) returned 0xb63b0 [0111.551] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.551] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.551] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.551] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.551] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.551] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.552] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.552] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.552] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.552] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x13) returned 0xb63b0 [0111.552] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.552] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.553] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.553] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.553] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.553] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.553] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.553] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6350 [0111.554] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x10) returned 0xb6390 [0111.554] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x12) returned 0xb63b0 [0111.554] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xa5eb0 [0111.554] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x40) returned 0xb0220 [0111.554] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5eb0 | out: hHeap=0x80000) returned 1 [0111.554] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb63b0 | out: hHeap=0x80000) returned 1 [0111.554] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6390 | out: hHeap=0x80000) returned 1 [0111.554] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6350 | out: hHeap=0x80000) returned 1 [0111.555] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb0220 | out: hHeap=0x80000) returned 1 [0111.555] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5f10 | out: hHeap=0x80000) returned 1 [0111.555] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5ee0 | out: hHeap=0x80000) returned 1 [0111.558] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5f40 | out: hHeap=0x80000) returned 1 [0111.558] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5f70 | out: hHeap=0x80000) returned 1 [0111.559] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5fa0 | out: hHeap=0x80000) returned 1 [0111.559] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa5fd0 | out: hHeap=0x80000) returned 1 [0111.559] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa6000 | out: hHeap=0x80000) returned 1 [0111.560] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa6030 | out: hHeap=0x80000) returned 1 [0111.560] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa6060 | out: hHeap=0x80000) returned 1 [0111.560] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa6090 | out: hHeap=0x80000) returned 1 [0111.561] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa60c0 | out: hHeap=0x80000) returned 1 [0111.561] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa60f0 | out: hHeap=0x80000) returned 1 [0111.561] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa6120 | out: hHeap=0x80000) returned 1 [0111.562] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa6150 | out: hHeap=0x80000) returned 1 [0111.562] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xa6180 | out: hHeap=0x80000) returned 1 [0111.562] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb9f50 | out: hHeap=0x80000) returned 1 [0111.563] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb9f80 | out: hHeap=0x80000) returned 1 [0111.563] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb9fb0 | out: hHeap=0x80000) returned 1 [0111.563] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb9fe0 | out: hHeap=0x80000) returned 1 [0111.564] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xba010 | out: hHeap=0x80000) returned 1 [0111.564] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xba040 | out: hHeap=0x80000) returned 1 [0111.564] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xba070 | out: hHeap=0x80000) returned 1 [0111.565] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xba0a0 | out: hHeap=0x80000) returned 1 [0111.565] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xba0d0 | out: hHeap=0x80000) returned 1 [0111.566] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xba100 | out: hHeap=0x80000) returned 1 [0111.566] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xba130 | out: hHeap=0x80000) returned 1 [0111.566] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xba160 | out: hHeap=0x80000) returned 1 [0111.567] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xba190 | out: hHeap=0x80000) returned 1 [0111.567] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xba1c0 | out: hHeap=0x80000) returned 1 [0111.567] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xba1f0 | out: hHeap=0x80000) returned 1 [0111.568] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xba220 | out: hHeap=0x80000) returned 1 [0111.568] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xbaeb0 | out: hHeap=0x80000) returned 1 [0111.993] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb5f40 | out: hHeap=0x80000) returned 1 [0112.013] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0112.331] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0119.723] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77280000 [0119.723] GetProcAddress (hModule=0x77280000, lpProcName="ZwAllocateVirtualMemory") returned 0x772d1490 [0119.723] GetProcAddress (hModule=0x77280000, lpProcName="ZwWriteVirtualMemory") returned 0x772d16b0 [0119.724] GetProcAddress (hModule=0x77280000, lpProcName="ZwReadVirtualMemory") returned 0x772d1700 [0119.724] GetProcAddress (hModule=0x77280000, lpProcName="ZwGetContextThread") returned 0x772d1fe0 [0119.724] GetProcAddress (hModule=0x77280000, lpProcName="ZwSetContextThread") returned 0x772d2840 [0120.226] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x30) returned 0xc8020 [0120.369] CoCreateInstance (in: rclsid=0x1e357e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1e357f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x252f370 | out: ppv=0x252f370*=0xb66d0) returned 0x0 [0120.492] WbemLocator:IWbemLocator:ConnectServer (in: This=0xb66d0, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x252f368 | out: ppNamespace=0x252f368*=0xe3640) returned 0x0 [0121.261] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x7fefd730000 [0121.261] GetProcAddress (hModule=0x7fefd730000, lpProcName="CoSetProxyBlanket") returned 0x7fefd76bf00 [0121.262] CoSetProxyBlanket (pProxy=0xe3640, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0121.262] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x18) returned 0xb69d0 [0121.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xc8020, cbMultiByte=35, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 35 [0121.414] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xc8020, cbMultiByte=35, lpWideCharStr=0x252f260, cchWideChar=35 | out: lpWideCharStr="SELECT * FROM Win32_ComputerSystem") returned 35 [0121.415] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x18) returned 0xb69f0 [0121.415] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e4b258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0121.415] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e4b258, cbMultiByte=4, lpWideCharStr=0x252f2a0, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0121.415] IWbemServices:ExecQuery (in: This=0xe3640, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystem", lFlags=48, pCtx=0x0, ppEnum=0x252f378 | out: ppEnum=0x252f378*=0xea600) returned 0x0 [0121.608] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb69f0 | out: hHeap=0x80000) returned 1 [0121.608] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb69d0 | out: hHeap=0x80000) returned 1 [0121.608] IEnumWbemClassObject:Next (in: This=0xea600, lTimeout=-1, uCount=0x1, apObjects=0x252f380, puReturned=0x252f498 | out: apObjects=0x252f380*=0xee410, puReturned=0x252f498*=0x1) returned 0x0 [0121.939] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x252f4d0, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0121.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x252f4d0, cbMultiByte=4, lpWideCharStr=0x252f298, cchWideChar=4 | out: lpWideCharStr="Name") returned 4 [0122.216] IWbemClassObject:Get (in: This=0xee410, wszName="Name", lFlags=0, pVal=0x252f420*(varType=0x0, wReserved1=0xc, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x252f420*(varType=0x8, wReserved1=0xc, wReserved2=0x0, wReserved3=0x0, varVal1="Q9IATRKPRH", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0122.367] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x20) returned 0xcbd00 [0122.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Q9IATRKPRH", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0122.387] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Q9IATRKPRH", cchWideChar=10, lpMultiByteStr=0x252f2b8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Q9IATRKPRH", lpUsedDefaultChar=0x0) returned 10 [0122.387] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xcbd00 | out: hHeap=0x80000) returned 1 [0122.388] IUnknown:Release (This=0xee410) returned 0x0 [0122.388] WbemLocator:IUnknown:Release (This=0xe3640) returned 0x0 [0122.424] WbemLocator:IUnknown:Release (This=0xb66d0) returned 0x0 [0122.424] IUnknown:Release (This=0xea600) returned 0x0 [0122.426] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xc8020 | out: hHeap=0x80000) returned 1 [0122.426] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x30) returned 0xc8020 [0122.426] CoCreateInstance (in: rclsid=0x1e357e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1e357f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x252f370 | out: ppv=0x252f370*=0xb6a50) returned 0x0 [0122.427] WbemLocator:IWbemLocator:ConnectServer (in: This=0xb6a50, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x252f368 | out: ppNamespace=0x252f368*=0xe3640) returned 0x0 [0122.704] CoSetProxyBlanket (pProxy=0xe3640, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0122.704] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x18) returned 0xb6a70 [0122.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xc8020, cbMultiByte=42, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 42 [0122.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xc8020, cbMultiByte=42, lpWideCharStr=0x252f250, cchWideChar=42 | out: lpWideCharStr="SELECT * FROM Win32_ComputerSystemProduct") returned 42 [0122.705] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x18) returned 0xb66d0 [0122.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e4b258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0122.705] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e4b258, cbMultiByte=4, lpWideCharStr=0x252f2a0, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0122.705] IWbemServices:ExecQuery (in: This=0xe3640, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystemProduct", lFlags=48, pCtx=0x0, ppEnum=0x252f378 | out: ppEnum=0x252f378*=0xea600) returned 0x0 [0122.708] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb66d0 | out: hHeap=0x80000) returned 1 [0122.708] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb6a70 | out: hHeap=0x80000) returned 1 [0122.708] IEnumWbemClassObject:Next (in: This=0xea600, lTimeout=-1, uCount=0x1, apObjects=0x252f380, puReturned=0x252f498 | out: apObjects=0x252f380*=0xec380, puReturned=0x252f498*=0x1) returned 0x0 [0122.924] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x252f4d0, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0122.924] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x252f4d0, cbMultiByte=4, lpWideCharStr=0x252f298, cchWideChar=4 | out: lpWideCharStr="UUID") returned 4 [0122.924] IWbemClassObject:Get (in: This=0xec380, wszName="UUID", lFlags=0, pVal=0x252f420*(varType=0x0, wReserved1=0xc, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x252f420*(varType=0x8, wReserved1=0xc, wReserved2=0x0, wReserved3=0x0, varVal1="4C4C4544-0050-3710-8058-CAC04F59344A", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0122.925] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x50) returned 0xc7700 [0122.925] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4C4C4544-0050-3710-8058-CAC04F59344A", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0122.925] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x30) returned 0xddd80 [0122.925] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4C4C4544-0050-3710-8058-CAC04F59344A", cchWideChar=36, lpMultiByteStr=0xddd80, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="4C4C4544-0050-3710-8058-CAC04F59344A", lpUsedDefaultChar=0x0) returned 36 [0122.925] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xc7700 | out: hHeap=0x80000) returned 1 [0122.925] IUnknown:Release (This=0xec380) returned 0x0 [0122.925] WbemLocator:IUnknown:Release (This=0xe3640) returned 0x0 [0122.926] WbemLocator:IUnknown:Release (This=0xb6a50) returned 0x0 [0122.926] IUnknown:Release (This=0xea600) returned 0x0 [0122.931] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xc8020 | out: hHeap=0x80000) returned 1 [0122.931] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x30) returned 0xc8020 [0123.275] GetLastError () returned 0x0 [0123.275] SetLastError (dwErrCode=0x0) [0123.423] GetLastError () returned 0x0 [0123.423] SetLastError (dwErrCode=0x0) [0123.423] GetLastError () returned 0x0 [0123.423] SetLastError (dwErrCode=0x0) [0123.423] GetLastError () returned 0x0 [0123.423] SetLastError (dwErrCode=0x0) [0123.423] GetLastError () returned 0x0 [0123.423] SetLastError (dwErrCode=0x0) [0123.423] GetLastError () returned 0x0 [0123.423] SetLastError (dwErrCode=0x0) [0123.423] GetLastError () returned 0x0 [0123.423] SetLastError (dwErrCode=0x0) [0123.423] GetLastError () returned 0x0 [0123.423] SetLastError (dwErrCode=0x0) [0123.423] GetLastError () returned 0x0 [0123.423] SetLastError (dwErrCode=0x0) [0123.423] GetLastError () returned 0x0 [0123.424] SetLastError (dwErrCode=0x0) [0123.424] GetLastError () returned 0x0 [0123.424] SetLastError (dwErrCode=0x0) [0123.424] GetLastError () returned 0x0 [0123.424] SetLastError (dwErrCode=0x0) [0123.424] GetLastError () returned 0x0 [0123.424] SetLastError (dwErrCode=0x0) [0123.424] GetLastError () returned 0x0 [0123.424] SetLastError (dwErrCode=0x0) [0123.424] GetLastError () returned 0x0 [0123.424] SetLastError (dwErrCode=0x0) [0123.424] GetLastError () returned 0x0 [0123.424] SetLastError (dwErrCode=0x0) [0123.424] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x30) returned 0xddd40 [0123.424] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xddd40, cbMultiByte=32, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 32 [0123.424] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x0, Size=0x50) returned 0xc7400 [0123.424] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xddd40, cbMultiByte=32, lpWideCharStr=0xc7400, cchWideChar=32 | out: lpWideCharStr="aa360b8ffe2aca5f0f5c1f9ffd6f6a58") returned 32 [0123.424] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="aa360b8ffe2aca5f0f5c1f9ffd6f6a58") returned 0x180 [0123.425] GetLastError () returned 0xb7 [0123.425] CloseHandle (hObject=0x180) returned 1 [0123.426] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xc7400 | out: hHeap=0x80000) returned 1 [0123.426] CoUninitialize () [0123.679] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xddd40 | out: hHeap=0x80000) returned 1 [0123.679] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xc8020 | out: hHeap=0x80000) returned 1 [0123.680] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xddd80 | out: hHeap=0x80000) returned 1 [0123.680] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xbbb10 | out: hHeap=0x80000) returned 1 [0123.680] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xabf60 | out: hHeap=0x80000) returned 1 [0123.681] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xabee0 | out: hHeap=0x80000) returned 1 [0123.681] HeapFree (in: hHeap=0x80000, dwFlags=0x0, lpMem=0xb5b70 | out: hHeap=0x80000) returned 1 Thread: id = 165 os_tid = 0xea8 Thread: id = 166 os_tid = 0xe30 [0120.791] GetLastError () returned 0x57 [0120.791] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x78) returned 0xabfe0 [0120.791] SetLastError (dwErrCode=0x57) [0120.804] GetLastError () returned 0x57 [0120.817] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x3c8) returned 0xd50e0 [0120.946] SetLastError (dwErrCode=0x57) Thread: id = 168 os_tid = 0xec8 [0121.222] GetLastError () returned 0x57 [0121.222] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x78) returned 0xac060 [0121.222] SetLastError (dwErrCode=0x57) [0121.222] GetLastError () returned 0x57 [0121.222] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x3c8) returned 0xe2f90 [0121.222] SetLastError (dwErrCode=0x57) Thread: id = 169 os_tid = 0x9bc [0121.223] GetLastError () returned 0x57 [0121.223] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x78) returned 0xac0e0 [0121.223] SetLastError (dwErrCode=0x57) [0121.223] GetLastError () returned 0x57 [0121.223] RtlAllocateHeap (HeapHandle=0x80000, Flags=0x8, Size=0x3c8) returned 0xe6bf0 [0121.224] SetLastError (dwErrCode=0x57) Process: id = "23" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x40ed2000" os_pid = "0xeb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"DefaultInstall\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1319 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1320 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1321 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1322 start_va = 0x50000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1323 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1324 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1325 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1326 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 1327 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1328 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1329 start_va = 0x7fffffda000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1330 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1331 start_va = 0x150000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1332 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1333 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1334 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1335 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1336 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1337 start_va = 0x150000 end_va = 0x1b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1338 start_va = 0x210000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1339 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1340 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1341 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1342 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1343 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1344 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1345 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1346 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1347 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1348 start_va = 0x310000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 1349 start_va = 0x310000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 1350 start_va = 0x430000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 1351 start_va = 0x1c0000 end_va = 0x1e8fff monitored = 0 entry_point = 0x1c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1352 start_va = 0x440000 end_va = 0x5c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 1353 start_va = 0x1c0000 end_va = 0x1e8fff monitored = 0 entry_point = 0x1c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1354 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1355 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1356 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1357 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1358 start_va = 0x5d0000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 1359 start_va = 0x760000 end_va = 0x1b5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 1360 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1361 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 1362 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1365 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1366 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Thread: id = 48 os_tid = 0xeac [0070.548] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14f9d8 | out: lpSystemTimeAsFileTime=0x14f9d8*(dwLowDateTime=0x241b1320, dwHighDateTime=0x1d937fd)) [0070.548] GetCurrentThreadId () returned 0xeac [0070.548] GetCurrentProcessId () returned 0xeb4 [0070.548] QueryPerformanceCounter (in: lpPerformanceCount=0x14f9e0 | out: lpPerformanceCount=0x14f9e0*=3320099981762) returned 1 [0070.548] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0070.551] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0070.551] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0070.552] GetLastError () returned 0x7e [0070.552] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0070.552] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0070.552] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0070.553] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0070.553] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0070.554] GetProcessHeap () returned 0x210000 [0070.554] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0070.554] GetLastError () returned 0x7e [0070.554] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0070.554] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0070.554] GetLastError () returned 0x7e [0070.554] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0070.554] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0070.555] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x3c8) returned 0x22cfb0 [0070.555] SetLastError (dwErrCode=0x7e) [0070.555] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x1200) returned 0x22d380 [0070.557] GetStartupInfoW (in: lpStartupInfo=0x14f8b0 | out: lpStartupInfo=0x14f8b0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x14f938, hStdError=0x1)) [0070.557] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0070.557] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0070.557] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0070.558] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"DefaultInstall\"" [0070.558] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"DefaultInstall\"" [0070.558] GetACP () returned 0x4e4 [0070.558] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x0, Size=0x228) returned 0x22ab90 [0070.558] IsValidCodePage (CodePage=0x4e4) returned 1 [0070.558] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x14f870 | out: lpCPInfo=0x14f870) returned 1 [0070.558] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x14f110 | out: lpCPInfo=0x14f110) returned 1 [0070.558] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f130, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0070.558] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f130, cbMultiByte=256, lpWideCharStr=0x14ee60, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0070.558] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x14f430 | out: lpCharType=0x14f430) returned 1 [0070.558] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f130, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0070.558] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f130, cbMultiByte=256, lpWideCharStr=0x14ee00, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0070.558] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0070.559] GetLastError () returned 0x7e [0070.559] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0070.559] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0070.560] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x14ebf0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0070.560] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x14f230, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«\"", lpUsedDefaultChar=0x0) returned 256 [0070.560] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f130, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0070.560] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f130, cbMultiByte=256, lpWideCharStr=0x14ee00, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0070.560] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0070.560] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x14ebf0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0070.560] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x14f330, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0070.560] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x0, Size=0x100) returned 0x22f590 [0070.560] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0070.560] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x198) returned 0x22f6a0 [0070.561] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0070.561] GetLastError () returned 0x0 [0070.561] SetLastError (dwErrCode=0x0) [0070.561] GetEnvironmentStringsW () returned 0x22f840* [0070.561] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x0, Size=0xb32) returned 0x230380 [0070.561] FreeEnvironmentStringsW (penv=0x22f840) returned 1 [0070.561] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x128) returned 0x22f840 [0070.561] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x3e) returned 0x22afe0 [0070.561] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x56) returned 0x22adc0 [0070.561] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x62) returned 0x230ec0 [0070.561] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x78) returned 0x230f30 [0070.561] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x62) returned 0x22f970 [0070.561] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x30) returned 0x22e900 [0070.561] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x48) returned 0x22b030 [0070.561] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x28) returned 0x2279a0 [0070.561] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x1a) returned 0x2279d0 [0070.561] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x34) returned 0x22e940 [0070.561] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x5c) returned 0x22f9e0 [0070.561] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x32) returned 0x22e980 [0070.561] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x2e) returned 0x22e9c0 [0070.561] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x1c) returned 0x227a00 [0070.561] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x19c) returned 0x22fa50 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x7c) returned 0x22fc00 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x3a) returned 0x22b080 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x90) returned 0x22fc90 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x24) returned 0x227a30 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x30) returned 0x22ea00 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x36) returned 0x22ea40 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x3c) returned 0x22b0d0 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x52) returned 0x22fd30 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x3c) returned 0x22b120 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0xd6) returned 0x22fd90 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x2e) returned 0x22ea80 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x1e) returned 0x227a60 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x2c) returned 0x22eac0 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x54) returned 0x22fe70 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x52) returned 0x22fed0 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x2c) returned 0x22eb00 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x26) returned 0x227a90 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x3e) returned 0x22b170 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x24) returned 0x227ac0 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x30) returned 0x22eb40 [0070.562] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x8c) returned 0x22ff30 [0070.563] HeapFree (in: hHeap=0x210000, dwFlags=0x0, lpMem=0x230380 | out: hHeap=0x210000) returned 1 [0070.563] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x1000) returned 0x230fb0 [0070.563] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0070.564] GetStartupInfoW (in: lpStartupInfo=0x14f940 | out: lpStartupInfo=0x14f940*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0070.564] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"DefaultInstall\"" [0070.564] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"DefaultInstall\"", pNumArgs=0x14f910 | out: pNumArgs=0x14f910) returned 0x230450*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0070.564] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0070.572] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x0, Size=0x1000) returned 0x2340a0 [0070.572] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x0, Size=0x12) returned 0x230e80 [0070.572] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="FPH732n7", cchWideChar=-1, lpMultiByteStr=0x230e80, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FPH732n7", lpUsedDefaultChar=0x0) returned 9 [0070.572] GetLastError () returned 0x0 [0070.572] SetLastError (dwErrCode=0x0) [0070.573] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7W") returned 0x0 [0070.573] GetLastError () returned 0x7f [0070.573] SetLastError (dwErrCode=0x7f) [0070.573] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7A") returned 0x0 [0070.573] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7") returned 0x7fef2eb1cf0 [0070.573] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x0, Size=0x1e) returned 0x227b50 [0070.573] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="DefaultInstall", cchWideChar=-1, lpMultiByteStr=0x227b50, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefaultInstall", lpUsedDefaultChar=0x0) returned 15 [0070.573] GetActiveWindow () returned 0x0 [0070.574] GetLastError () returned 0x7f [0070.574] SetLastError (dwErrCode=0x7f) Process: id = "24" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x410de000" os_pid = "0xee4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"DefaultInstall\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1380 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1381 start_va = 0x30000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1382 start_va = 0x130000 end_va = 0x133fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 1383 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 1384 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1385 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1386 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1387 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 1388 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1389 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1390 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 1391 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1392 start_va = 0x150000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1393 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1394 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1395 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1396 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1397 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1398 start_va = 0x150000 end_va = 0x1b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1399 start_va = 0x250000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1400 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1401 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1402 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1403 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1404 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1405 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1406 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1410 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1411 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1412 start_va = 0x1c0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1413 start_va = 0x350000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 1414 start_va = 0x1c0000 end_va = 0x1e8fff monitored = 0 entry_point = 0x1c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1415 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1416 start_va = 0x450000 end_va = 0x5d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 1417 start_va = 0x1c0000 end_va = 0x1e8fff monitored = 0 entry_point = 0x1c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1418 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1419 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1420 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1421 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1422 start_va = 0x5e0000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 1423 start_va = 0x770000 end_va = 0x1b6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 1465 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1466 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 1467 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1468 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1469 start_va = 0x200000 end_va = 0x200fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Thread: id = 50 os_tid = 0xed8 [0072.958] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fb58 | out: lpSystemTimeAsFileTime=0x12fb58*(dwLowDateTime=0x25449f00, dwHighDateTime=0x1d937fd)) [0072.958] GetCurrentThreadId () returned 0xed8 [0072.958] GetCurrentProcessId () returned 0xee4 [0072.958] QueryPerformanceCounter (in: lpPerformanceCount=0x12fb60 | out: lpPerformanceCount=0x12fb60*=3320340991683) returned 1 [0072.959] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0072.962] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0072.964] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0072.965] GetLastError () returned 0x7e [0072.965] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0072.965] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0072.965] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0072.966] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0072.966] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0072.967] GetProcessHeap () returned 0x250000 [0072.967] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0072.967] GetLastError () returned 0x7e [0072.967] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0072.967] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0072.967] GetLastError () returned 0x7e [0072.968] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0072.968] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0072.968] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3c8) returned 0x26cfb0 [0072.968] SetLastError (dwErrCode=0x7e) [0072.968] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1200) returned 0x26d380 [0072.970] GetStartupInfoW (in: lpStartupInfo=0x12fa30 | out: lpStartupInfo=0x12fa30*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x12fab8, hStdError=0x1)) [0072.971] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0072.971] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0072.971] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0072.971] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"DefaultInstall\"" [0072.971] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"DefaultInstall\"" [0072.971] GetACP () returned 0x4e4 [0072.971] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x228) returned 0x26ab90 [0072.971] IsValidCodePage (CodePage=0x4e4) returned 1 [0072.971] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12f9f0 | out: lpCPInfo=0x12f9f0) returned 1 [0072.971] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12f290 | out: lpCPInfo=0x12f290) returned 1 [0072.971] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12f2b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0072.972] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12f2b0, cbMultiByte=256, lpWideCharStr=0x12efe0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0072.972] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x12f5b0 | out: lpCharType=0x12f5b0) returned 1 [0072.972] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12f2b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0072.972] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12f2b0, cbMultiByte=256, lpWideCharStr=0x12ef80, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0072.972] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0072.972] GetLastError () returned 0x7e [0072.972] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0072.972] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0072.973] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x12ed70, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0072.973] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x12f3b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«&", lpUsedDefaultChar=0x0) returned 256 [0072.973] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12f2b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0072.973] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12f2b0, cbMultiByte=256, lpWideCharStr=0x12ef80, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0072.973] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0072.973] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x12ed70, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0072.973] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x12f4b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0072.973] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x100) returned 0x26f590 [0072.974] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0072.974] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x198) returned 0x26f6a0 [0072.974] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0072.974] GetLastError () returned 0x0 [0072.974] SetLastError (dwErrCode=0x0) [0072.974] GetEnvironmentStringsW () returned 0x26f840* [0072.974] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0xb32) returned 0x270380 [0072.974] FreeEnvironmentStringsW (penv=0x26f840) returned 1 [0072.974] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x128) returned 0x26f840 [0072.974] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3e) returned 0x26afe0 [0072.974] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x56) returned 0x26adc0 [0072.974] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x62) returned 0x270ec0 [0072.975] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x78) returned 0x270f30 [0072.975] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x62) returned 0x26f970 [0072.975] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x30) returned 0x26e900 [0072.975] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x48) returned 0x26b030 [0072.975] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x28) returned 0x2679a0 [0072.975] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1a) returned 0x2679d0 [0072.975] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x34) returned 0x26e940 [0072.975] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x5c) returned 0x26f9e0 [0072.975] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x32) returned 0x26e980 [0072.975] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2e) returned 0x26e9c0 [0072.975] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1c) returned 0x267a00 [0072.975] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x19c) returned 0x26fa50 [0072.975] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x7c) returned 0x26fc00 [0072.975] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3a) returned 0x26b080 [0072.975] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x90) returned 0x26fc90 [0072.975] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x24) returned 0x267a30 [0072.975] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x30) returned 0x26ea00 [0072.975] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x36) returned 0x26ea40 [0072.975] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3c) returned 0x26b0d0 [0072.976] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x52) returned 0x26fd30 [0072.976] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3c) returned 0x26b120 [0072.976] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xd6) returned 0x26fd90 [0072.976] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2e) returned 0x26ea80 [0072.976] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1e) returned 0x267a60 [0072.976] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2c) returned 0x26eac0 [0072.976] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x54) returned 0x26fe70 [0072.976] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x52) returned 0x26fed0 [0072.976] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2c) returned 0x26eb00 [0072.976] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x26) returned 0x267a90 [0072.976] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3e) returned 0x26b170 [0072.976] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x24) returned 0x267ac0 [0072.976] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x30) returned 0x26eb40 [0072.976] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x8c) returned 0x26ff30 [0072.977] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x270380 | out: hHeap=0x250000) returned 1 [0072.977] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1000) returned 0x270fb0 [0072.977] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0072.978] GetStartupInfoW (in: lpStartupInfo=0x12fac0 | out: lpStartupInfo=0x12fac0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0072.978] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"DefaultInstall\"" [0072.978] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"DefaultInstall\"", pNumArgs=0x12fa90 | out: pNumArgs=0x12fa90) returned 0x270450*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0072.978] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0072.985] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x1000) returned 0x2740a0 [0072.985] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x12) returned 0x270e80 [0072.985] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="KlXWgB9j", cchWideChar=-1, lpMultiByteStr=0x270e80, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="KlXWgB9j", lpUsedDefaultChar=0x0) returned 9 [0072.985] GetLastError () returned 0x0 [0072.986] SetLastError (dwErrCode=0x0) [0072.986] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9jW") returned 0x0 [0072.986] GetLastError () returned 0x7f [0072.986] SetLastError (dwErrCode=0x7f) [0072.986] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9jA") returned 0x0 [0072.986] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9j") returned 0x7fef2eb0010 [0072.986] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x1e) returned 0x267b50 [0072.986] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="DefaultInstall", cchWideChar=-1, lpMultiByteStr=0x267b50, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefaultInstall", lpUsedDefaultChar=0x0) returned 15 [0072.986] GetActiveWindow () returned 0x0 [0073.197] GetLastError () returned 0x7f [0073.197] SetLastError (dwErrCode=0x7f) Process: id = "25" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x407ea000" os_pid = "0xed4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"DefaultInstall\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1424 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1425 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1426 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1427 start_va = 0x110000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 1428 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1429 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1430 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1431 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 1432 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1433 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1434 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 1435 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1436 start_va = 0x210000 end_va = 0x39ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1437 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1438 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1439 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1440 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1441 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1442 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1443 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1444 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1445 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1446 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1447 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1448 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1449 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1451 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1452 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1453 start_va = 0x3a0000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 1454 start_va = 0x3a0000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 1455 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 1456 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1457 start_va = 0x520000 end_va = 0x6a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 1458 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1459 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1460 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1461 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1462 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1463 start_va = 0x6b0000 end_va = 0x830fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 1464 start_va = 0x840000 end_va = 0x1c3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 1470 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1471 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 1472 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1473 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1474 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Thread: id = 52 os_tid = 0xecc [0073.467] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20f858 | out: lpSystemTimeAsFileTime=0x20f858*(dwLowDateTime=0x2590cb00, dwHighDateTime=0x1d937fd)) [0073.467] GetCurrentThreadId () returned 0xecc [0073.467] GetCurrentProcessId () returned 0xed4 [0073.467] QueryPerformanceCounter (in: lpPerformanceCount=0x20f860 | out: lpPerformanceCount=0x20f860*=3320391918550) returned 1 [0073.468] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0073.469] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0073.470] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0073.470] GetLastError () returned 0x7e [0073.470] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0073.470] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0073.470] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0073.471] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0073.471] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0073.471] GetProcessHeap () returned 0x2a0000 [0073.471] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0073.472] GetLastError () returned 0x7e [0073.472] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0073.472] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0073.472] GetLastError () returned 0x7e [0073.472] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0073.472] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0073.472] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x3c8) returned 0x2bcfb0 [0073.472] SetLastError (dwErrCode=0x7e) [0073.472] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x1200) returned 0x2bd380 [0073.474] GetStartupInfoW (in: lpStartupInfo=0x20f730 | out: lpStartupInfo=0x20f730*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x20f7b8, hStdError=0x1)) [0073.474] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0073.474] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0073.474] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0073.474] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"DefaultInstall\"" [0073.474] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"DefaultInstall\"" [0073.475] GetACP () returned 0x4e4 [0073.475] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x0, Size=0x228) returned 0x2bab90 [0073.475] IsValidCodePage (CodePage=0x4e4) returned 1 [0073.475] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x20f6f0 | out: lpCPInfo=0x20f6f0) returned 1 [0073.475] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x20ef90 | out: lpCPInfo=0x20ef90) returned 1 [0073.475] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20efb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0073.475] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20efb0, cbMultiByte=256, lpWideCharStr=0x20ece0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0073.475] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x20f2b0 | out: lpCharType=0x20f2b0) returned 1 [0073.475] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20efb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0073.475] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20efb0, cbMultiByte=256, lpWideCharStr=0x20ec80, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0073.475] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0073.475] GetLastError () returned 0x7e [0073.475] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0073.475] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0073.476] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x20ea70, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0073.476] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x20f0b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«+", lpUsedDefaultChar=0x0) returned 256 [0073.476] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20efb0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0073.476] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20efb0, cbMultiByte=256, lpWideCharStr=0x20ec80, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0073.476] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0073.476] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x20ea70, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0073.476] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x20f1b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0073.476] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x0, Size=0x100) returned 0x2bf590 [0073.476] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0073.476] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x196) returned 0x2bf6a0 [0073.476] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0073.476] GetLastError () returned 0x0 [0073.476] SetLastError (dwErrCode=0x0) [0073.476] GetEnvironmentStringsW () returned 0x2bf840* [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x0, Size=0xb32) returned 0x2c0380 [0073.477] FreeEnvironmentStringsW (penv=0x2bf840) returned 1 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x128) returned 0x2bf840 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x3e) returned 0x2bafe0 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x56) returned 0x2badc0 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x62) returned 0x2c0ec0 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x78) returned 0x2c0f30 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x62) returned 0x2bf970 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x30) returned 0x2be900 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x48) returned 0x2bb030 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x28) returned 0x2b79a0 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x1a) returned 0x2b79d0 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x34) returned 0x2be940 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x5c) returned 0x2bf9e0 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x32) returned 0x2be980 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x2e) returned 0x2be9c0 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x1c) returned 0x2b7a00 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x19c) returned 0x2bfa50 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x7c) returned 0x2bfc00 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x3a) returned 0x2bb080 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x90) returned 0x2bfc90 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x24) returned 0x2b7a30 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x30) returned 0x2bea00 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x36) returned 0x2bea40 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x3c) returned 0x2bb0d0 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x52) returned 0x2bfd30 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x3c) returned 0x2bb120 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0xd6) returned 0x2bfd90 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x2e) returned 0x2bea80 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x1e) returned 0x2b7a60 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x2c) returned 0x2beac0 [0073.477] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x54) returned 0x2bfe70 [0073.478] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x52) returned 0x2bfed0 [0073.478] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x2c) returned 0x2beb00 [0073.478] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x26) returned 0x2b7a90 [0073.478] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x3e) returned 0x2bb170 [0073.478] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x24) returned 0x2b7ac0 [0073.478] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x30) returned 0x2beb40 [0073.478] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x8c) returned 0x2bff30 [0073.478] HeapFree (in: hHeap=0x2a0000, dwFlags=0x0, lpMem=0x2c0380 | out: hHeap=0x2a0000) returned 1 [0073.478] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x8, Size=0x1000) returned 0x2c0fb0 [0073.479] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0073.479] GetStartupInfoW (in: lpStartupInfo=0x20f7c0 | out: lpStartupInfo=0x20f7c0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0073.479] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"DefaultInstall\"" [0073.479] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"DefaultInstall\"", pNumArgs=0x20f790 | out: pNumArgs=0x20f790) returned 0x2c0450*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0073.479] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0073.484] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x0, Size=0x1000) returned 0x2c40a0 [0073.484] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x0, Size=0x10) returned 0x2c0e80 [0073.484] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="LKKIJ77", cchWideChar=-1, lpMultiByteStr=0x2c0e80, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LKKIJ77", lpUsedDefaultChar=0x0) returned 8 [0073.484] GetLastError () returned 0x0 [0073.484] SetLastError (dwErrCode=0x0) [0073.485] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77W") returned 0x0 [0073.485] GetLastError () returned 0x7f [0073.485] SetLastError (dwErrCode=0x7f) [0073.485] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77A") returned 0x0 [0073.485] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77") returned 0x7fef2ea6420 [0073.485] RtlAllocateHeap (HeapHandle=0x2a0000, Flags=0x0, Size=0x1e) returned 0x2b7b50 [0073.485] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="DefaultInstall", cchWideChar=-1, lpMultiByteStr=0x2b7b50, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefaultInstall", lpUsedDefaultChar=0x0) returned 15 [0073.485] GetActiveWindow () returned 0x0 [0073.930] GetLastError () returned 0x7f [0073.930] SetLastError (dwErrCode=0x7f) Process: id = "26" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x3dff6000" os_pid = "0x9a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"DefaultInstall\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1491 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1492 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1493 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1494 start_va = 0x130000 end_va = 0x22ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1495 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1496 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1497 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1498 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 1499 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1500 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1501 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 1502 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 1503 start_va = 0x230000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1504 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1505 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1506 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1507 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1508 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1509 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1510 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1511 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1512 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1513 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1514 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1515 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1516 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1517 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1518 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1519 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1520 start_va = 0x230000 end_va = 0x32ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1521 start_va = 0x3b0000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 1522 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1523 start_va = 0x4b0000 end_va = 0x637fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 1524 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1525 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1526 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1528 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1529 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1530 start_va = 0x640000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 1531 start_va = 0x7d0000 end_va = 0x1bcffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1566 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1567 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 1568 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1569 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 1570 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Thread: id = 54 os_tid = 0x9ac [0079.346] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x22f8f8 | out: lpSystemTimeAsFileTime=0x22f8f8*(dwLowDateTime=0x28ae37a0, dwHighDateTime=0x1d937fd)) [0079.346] GetCurrentThreadId () returned 0x9ac [0079.346] GetCurrentProcessId () returned 0x9a8 [0079.346] QueryPerformanceCounter (in: lpPerformanceCount=0x22f900 | out: lpPerformanceCount=0x22f900*=3320979821268) returned 1 [0079.347] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0079.349] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0079.350] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0079.350] GetLastError () returned 0x7e [0079.350] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0079.350] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0079.350] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0079.351] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0079.351] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0079.352] GetProcessHeap () returned 0x3b0000 [0079.352] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0079.352] GetLastError () returned 0x7e [0079.352] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0079.352] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0079.352] GetLastError () returned 0x7e [0079.352] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0079.353] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0079.353] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x3c8) returned 0x3ccfb0 [0079.353] SetLastError (dwErrCode=0x7e) [0079.353] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x1200) returned 0x3cd380 [0079.355] GetStartupInfoW (in: lpStartupInfo=0x22f7d0 | out: lpStartupInfo=0x22f7d0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x22f858, hStdError=0x1)) [0079.355] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0079.355] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0079.355] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0079.356] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"DefaultInstall\"" [0079.356] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"DefaultInstall\"" [0079.356] GetACP () returned 0x4e4 [0079.356] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x228) returned 0x3cab90 [0079.356] IsValidCodePage (CodePage=0x4e4) returned 1 [0079.356] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x22f790 | out: lpCPInfo=0x22f790) returned 1 [0079.356] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x22f030 | out: lpCPInfo=0x22f030) returned 1 [0079.356] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x22f050, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0079.356] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x22f050, cbMultiByte=256, lpWideCharStr=0x22ed80, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0079.356] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x22f350 | out: lpCharType=0x22f350) returned 1 [0079.356] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x22f050, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0079.356] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x22f050, cbMultiByte=256, lpWideCharStr=0x22ed20, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0079.356] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0079.357] GetLastError () returned 0x7e [0079.357] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0079.357] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0079.357] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x22eb10, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0079.357] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x22f150, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«<", lpUsedDefaultChar=0x0) returned 256 [0079.357] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x22f050, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0079.357] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x22f050, cbMultiByte=256, lpWideCharStr=0x22ed20, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0079.358] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0079.358] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x22eb10, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0079.358] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x22f250, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0079.358] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x100) returned 0x3cf590 [0079.358] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0079.358] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x19c) returned 0x3cf6a0 [0079.358] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0079.358] GetLastError () returned 0x0 [0079.358] SetLastError (dwErrCode=0x0) [0079.358] GetEnvironmentStringsW () returned 0x3cf850* [0079.358] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0xb32) returned 0x3d0390 [0079.358] FreeEnvironmentStringsW (penv=0x3cf850) returned 1 [0079.358] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x128) returned 0x3cf850 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x3e) returned 0x3cafe0 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x56) returned 0x3cadc0 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x62) returned 0x3d0ed0 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x78) returned 0x3d0f40 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x62) returned 0x3cf980 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x30) returned 0x3ce900 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x48) returned 0x3cb030 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x28) returned 0x3c79a0 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x1a) returned 0x3c79d0 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x34) returned 0x3ce940 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x5c) returned 0x3cf9f0 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x32) returned 0x3ce980 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x2e) returned 0x3ce9c0 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x1c) returned 0x3c7a00 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x19c) returned 0x3cfa60 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x7c) returned 0x3cfc10 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x3a) returned 0x3cb080 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x90) returned 0x3cfca0 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x24) returned 0x3c7a30 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x30) returned 0x3cea00 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x36) returned 0x3cea40 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x3c) returned 0x3cb0d0 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x52) returned 0x3cfd40 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x3c) returned 0x3cb120 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xd6) returned 0x3cfda0 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x2e) returned 0x3cea80 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x1e) returned 0x3c7a60 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x2c) returned 0x3ceac0 [0079.359] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x54) returned 0x3cfe80 [0079.360] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x52) returned 0x3cfee0 [0079.360] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x2c) returned 0x3ceb00 [0079.360] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x26) returned 0x3c7a90 [0079.360] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x3e) returned 0x3cb170 [0079.360] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x24) returned 0x3c7ac0 [0079.360] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x30) returned 0x3ceb40 [0079.360] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x8c) returned 0x3cff40 [0079.360] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3d0390 | out: hHeap=0x3b0000) returned 1 [0079.360] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x1000) returned 0x3d0fd0 [0079.361] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0079.361] GetStartupInfoW (in: lpStartupInfo=0x22f860 | out: lpStartupInfo=0x22f860*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0079.361] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"DefaultInstall\"" [0079.361] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"DefaultInstall\"", pNumArgs=0x22f830 | out: pNumArgs=0x22f830) returned 0x3d0460*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0079.361] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0079.370] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x1000) returned 0x3d40c0 [0079.370] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x16) returned 0x3d0ea0 [0079.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="MMlFUh3Tzt", cchWideChar=-1, lpMultiByteStr=0x3d0ea0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MMlFUh3Tzt", lpUsedDefaultChar=0x0) returned 11 [0079.370] GetLastError () returned 0x0 [0079.370] SetLastError (dwErrCode=0x0) [0079.371] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3TztW") returned 0x0 [0079.371] GetLastError () returned 0x7f [0079.371] SetLastError (dwErrCode=0x7f) [0079.371] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3TztA") returned 0x0 [0079.371] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3Tzt") returned 0x7fef2eb0cf0 [0079.371] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x1e) returned 0x3c7b50 [0079.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="DefaultInstall", cchWideChar=-1, lpMultiByteStr=0x3c7b50, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefaultInstall", lpUsedDefaultChar=0x0) returned 15 [0079.371] GetActiveWindow () returned 0x0 [0079.460] GetLastError () returned 0x7f [0079.461] SetLastError (dwErrCode=0x7f) Process: id = "27" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x3d602000" os_pid = "0xad8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"127.0.0.1\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1532 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1533 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1534 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1535 start_va = 0xd0000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1536 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1537 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1538 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1539 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 1540 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1541 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1542 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 1543 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 1544 start_va = 0x1d0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1545 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1546 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1547 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1548 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1549 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1550 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1551 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1552 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1553 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1554 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1555 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1556 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1557 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1558 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1559 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1560 start_va = 0x1d0000 end_va = 0x29ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1561 start_va = 0x300000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 1571 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1572 start_va = 0x1d0000 end_va = 0x1f8fff monitored = 0 entry_point = 0x1d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1573 start_va = 0x290000 end_va = 0x29ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 1574 start_va = 0x500000 end_va = 0x687fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 1575 start_va = 0x1d0000 end_va = 0x1f8fff monitored = 0 entry_point = 0x1d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1576 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1577 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1621 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1622 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1623 start_va = 0x690000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 1624 start_va = 0x820000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 1652 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1653 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 1654 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2696 start_va = 0x1e0000 end_va = 0x25dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 2697 start_va = 0x1c20000 end_va = 0x1d77fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c20000" filename = "" Region: id = 2698 start_va = 0x1d80000 end_va = 0x1ee0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d80000" filename = "" Region: id = 2699 start_va = 0x7fefd2c0000 end_va = 0x7fefd42cfff monitored = 0 entry_point = 0x7fefd2c10b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2700 start_va = 0x7fefd270000 end_va = 0x7fefd27efff monitored = 0 entry_point = 0x7fefd271020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2701 start_va = 0x7fefd060000 end_va = 0x7fefd06afff monitored = 0 entry_point = 0x7fefd061030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2702 start_va = 0x7fefd090000 end_va = 0x7fefd0b4fff monitored = 0 entry_point = 0x7fefd099658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2703 start_va = 0x7feff060000 end_va = 0x7feff13afff monitored = 0 entry_point = 0x7feff080760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2704 start_va = 0x7feff1e0000 end_va = 0x7feff1fefff monitored = 0 entry_point = 0x7feff1e60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2705 start_va = 0x7feff2d0000 end_va = 0x7feff3a6fff monitored = 0 entry_point = 0x7feff2d3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2706 start_va = 0x7fefabb0000 end_va = 0x7fefabc7fff monitored = 0 entry_point = 0x7fefabb1010 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2707 start_va = 0x7fefacc0000 end_va = 0x7feface6fff monitored = 0 entry_point = 0x7fefacc98bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2708 start_va = 0x7fefed70000 end_va = 0x7fefed77fff monitored = 0 entry_point = 0x7fefed71504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2709 start_va = 0x7fefacb0000 end_va = 0x7fefacbafff monitored = 0 entry_point = 0x7fefacb1198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2710 start_va = 0x7fefb550000 end_va = 0x7fefb560fff monitored = 0 entry_point = 0x7fefb551070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2711 start_va = 0x7feff280000 end_va = 0x7feff2ccfff monitored = 0 entry_point = 0x7feff281070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2712 start_va = 0x1ef0000 end_va = 0x1fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 2756 start_va = 0x1fc0000 end_va = 0x228efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2760 start_va = 0x2450000 end_va = 0x254ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 2761 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 2764 start_va = 0x2290000 end_va = 0x230cfff monitored = 0 entry_point = 0x229cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2765 start_va = 0x2290000 end_va = 0x230cfff monitored = 0 entry_point = 0x229cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2766 start_va = 0x7fefd0c0000 end_va = 0x7fefd0cefff monitored = 0 entry_point = 0x7fefd0c1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2859 start_va = 0x2600000 end_va = 0x26fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 2860 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 2862 start_va = 0x260000 end_va = 0x260fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 2863 start_va = 0x7feff140000 end_va = 0x7feff1d8fff monitored = 0 entry_point = 0x7feff141c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2864 start_va = 0x270000 end_va = 0x270fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 2865 start_va = 0x7fef9520000 end_va = 0x7fef952dfff monitored = 0 entry_point = 0x7fef9525500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2866 start_va = 0x7fef97c0000 end_va = 0x7fef9836fff monitored = 0 entry_point = 0x7fef97fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 2867 start_va = 0x7fefcc30000 end_va = 0x7fefcc51fff monitored = 0 entry_point = 0x7fefcc35d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2868 start_va = 0x2750000 end_va = 0x284ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 2869 start_va = 0x7fefcac0000 end_va = 0x7fefcad7fff monitored = 0 entry_point = 0x7fefcac3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2870 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2871 start_va = 0x2a0000 end_va = 0x2e4fff monitored = 0 entry_point = 0x2a1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2872 start_va = 0x2a0000 end_va = 0x2e4fff monitored = 0 entry_point = 0x2a1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2873 start_va = 0x2a0000 end_va = 0x2e4fff monitored = 0 entry_point = 0x2a1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2874 start_va = 0x2a0000 end_va = 0x2e4fff monitored = 0 entry_point = 0x2a1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2875 start_va = 0x2a0000 end_va = 0x2e4fff monitored = 0 entry_point = 0x2a1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2876 start_va = 0x7fefc7c0000 end_va = 0x7fefc806fff monitored = 0 entry_point = 0x7fefc7c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2877 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c3fff monitored = 0 entry_point = 0x7fefd1b10e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2880 start_va = 0x22b0000 end_va = 0x23affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022b0000" filename = "" Region: id = 2881 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2882 start_va = 0x2950000 end_va = 0x2a4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002950000" filename = "" Region: id = 2883 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2884 start_va = 0x7fef9240000 end_va = 0x7fef9252fff monitored = 0 entry_point = 0x7fef9241d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2885 start_va = 0x7fef9560000 end_va = 0x7fef9632fff monitored = 0 entry_point = 0x7fef95d8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2886 start_va = 0x7fef9530000 end_va = 0x7fef9556fff monitored = 0 entry_point = 0x7fef95311a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 2887 start_va = 0x280000 end_va = 0x282fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Thread: id = 56 os_tid = 0xadc [0084.278] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf8d8 | out: lpSystemTimeAsFileTime=0x1cf8d8*(dwLowDateTime=0x2a644c10, dwHighDateTime=0x1d937fd)) [0084.278] GetCurrentThreadId () returned 0xadc [0084.278] GetCurrentProcessId () returned 0xad8 [0084.278] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf8e0 | out: lpPerformanceCount=0x1cf8e0*=3321856109072) returned 1 [0084.279] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0084.282] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0084.282] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0084.282] GetLastError () returned 0x7e [0084.282] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0084.283] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0084.283] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0084.284] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0084.284] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0084.284] GetProcessHeap () returned 0x300000 [0084.285] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0084.285] GetLastError () returned 0x7e [0084.285] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0084.285] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0084.285] GetLastError () returned 0x7e [0084.285] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0084.285] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0084.285] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c8) returned 0x31cfb0 [0084.286] SetLastError (dwErrCode=0x7e) [0084.286] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1200) returned 0x31d380 [0084.289] GetStartupInfoW (in: lpStartupInfo=0x1cf7b0 | out: lpStartupInfo=0x1cf7b0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x1cf838, hStdError=0x1)) [0084.290] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0084.290] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0084.290] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0084.290] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"127.0.0.1\"" [0084.290] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"127.0.0.1\"" [0084.290] GetACP () returned 0x4e4 [0084.290] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x228) returned 0x31ab90 [0084.290] IsValidCodePage (CodePage=0x4e4) returned 1 [0084.290] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1cf770 | out: lpCPInfo=0x1cf770) returned 1 [0084.290] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1cf010 | out: lpCPInfo=0x1cf010) returned 1 [0084.290] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf030, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0084.290] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf030, cbMultiByte=256, lpWideCharStr=0x1ced60, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0084.290] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x1cf330 | out: lpCharType=0x1cf330) returned 1 [0084.291] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf030, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0084.291] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf030, cbMultiByte=256, lpWideCharStr=0x1ced00, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0084.291] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0084.291] GetLastError () returned 0x7e [0084.291] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0084.291] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0084.292] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ceaf0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0084.292] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x1cf130, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«1", lpUsedDefaultChar=0x0) returned 256 [0084.293] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf030, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0084.293] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf030, cbMultiByte=256, lpWideCharStr=0x1ced00, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0084.293] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0084.293] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ceaf0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0084.293] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x1cf230, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0084.293] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x100) returned 0x31f590 [0084.293] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0084.293] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x192) returned 0x31f6a0 [0084.293] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0084.293] GetLastError () returned 0x0 [0084.293] SetLastError (dwErrCode=0x0) [0084.293] GetEnvironmentStringsW () returned 0x31f840* [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xb32) returned 0x320380 [0084.294] FreeEnvironmentStringsW (penv=0x31f840) returned 1 [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x128) returned 0x31f840 [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3e) returned 0x31afe0 [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x56) returned 0x31adc0 [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x62) returned 0x320ec0 [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x78) returned 0x320f30 [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x62) returned 0x31f970 [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x31e900 [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x48) returned 0x31b030 [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x28) returned 0x3179a0 [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1a) returned 0x3179d0 [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x34) returned 0x31e940 [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x5c) returned 0x31f9e0 [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x32) returned 0x31e980 [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2e) returned 0x31e9c0 [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1c) returned 0x317a00 [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x19c) returned 0x31fa50 [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x7c) returned 0x31fc00 [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3a) returned 0x31b080 [0084.294] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x90) returned 0x31fc90 [0084.295] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x24) returned 0x317a30 [0084.295] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x31ea00 [0084.295] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x36) returned 0x31ea40 [0084.295] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c) returned 0x31b0d0 [0084.295] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x52) returned 0x31fd30 [0084.295] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c) returned 0x31b120 [0084.295] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xd6) returned 0x31fd90 [0084.295] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2e) returned 0x31ea80 [0084.295] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1e) returned 0x317a60 [0084.295] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2c) returned 0x31eac0 [0084.295] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x54) returned 0x31fe70 [0084.295] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x52) returned 0x31fed0 [0084.295] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2c) returned 0x31eb00 [0084.295] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x26) returned 0x317a90 [0084.295] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3e) returned 0x31b170 [0084.295] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x24) returned 0x317ac0 [0084.295] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x31eb40 [0084.295] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x8c) returned 0x31ff30 [0084.296] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x320380 | out: hHeap=0x300000) returned 1 [0084.296] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1000) returned 0x320fb0 [0084.297] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0084.297] GetStartupInfoW (in: lpStartupInfo=0x1cf840 | out: lpStartupInfo=0x1cf840*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0084.297] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"127.0.0.1\"" [0084.297] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"127.0.0.1\"", pNumArgs=0x1cf810 | out: pNumArgs=0x1cf810) returned 0x320450*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0084.297] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0084.490] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x1000) returned 0x3240a0 [0084.490] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x16) returned 0x320e80 [0084.490] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Cpurthnvlc", cchWideChar=-1, lpMultiByteStr=0x320e80, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Cpurthnvlc", lpUsedDefaultChar=0x0) returned 11 [0084.490] GetLastError () returned 0x0 [0084.490] SetLastError (dwErrCode=0x0) [0084.491] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="CpurthnvlcW") returned 0x0 [0084.491] GetLastError () returned 0x7f [0084.491] SetLastError (dwErrCode=0x7f) [0084.491] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="CpurthnvlcA") returned 0x0 [0084.491] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="Cpurthnvlc") returned 0x7fef2ea5970 [0084.491] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x14) returned 0x320ea0 [0084.491] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="127.0.0.1", cchWideChar=-1, lpMultiByteStr=0x320ea0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="127.0.0.1", lpUsedDefaultChar=0x0) returned 10 [0084.492] GetActiveWindow () returned 0x0 [0113.575] VirtualAlloc (lpAddress=0x0, dwSize=0x7e000, flAllocationType=0x3000, flProtect=0x40) returned 0x1e0000 [0113.660] GetProcAddress (hModule=0x77160000, lpProcName="ExitProcess") returned 0x772a40f0 [0113.660] GetProcAddress (hModule=0x77160000, lpProcName="LoadLibraryW") returned 0x77176420 [0113.660] LoadLibraryW (lpLibFileName="ntdll.dll") returned 0x77280000 [0113.660] GetProcAddress (hModule=0x77280000, lpProcName="NtMapViewOfSection") returned 0x772d1590 [0113.660] GetProcAddress (hModule=0x77280000, lpProcName="NtOpenFile") returned 0x772d1640 [0113.660] GetProcAddress (hModule=0x77280000, lpProcName="NtOpenSection") returned 0x772d1680 [0113.660] GetProcAddress (hModule=0x77280000, lpProcName="NtCreateSection") returned 0x772d17b0 [0113.660] GetProcAddress (hModule=0x77160000, lpProcName="VirtualProtect") returned 0x771629f0 [0113.660] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentThreadId") returned 0x77173380 [0113.660] GetProcAddress (hModule=0x77160000, lpProcName="GetModuleFileNameA") returned 0x77175940 [0113.661] GetProcAddress (hModule=0x77160000, lpProcName="VirtualAlloc") returned 0x77175c40 [0113.661] GetProcAddress (hModule=0x77160000, lpProcName="GetProcessHeap") returned 0x77181a30 [0113.661] GetProcAddress (hModule=0x77160000, lpProcName="HeapAlloc") returned 0x772d33a0 [0113.661] GetProcAddress (hModule=0x77160000, lpProcName="HeapFree") returned 0x77181a50 [0113.661] GetModuleFileNameA (in: hModule=0x7fef2ea0000, lpFilename=0x1cf510, nSize=0x104 | out: lpFilename="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll")) returned 0x62 [0113.663] VirtualAlloc (lpAddress=0x0, dwSize=0x158000, flAllocationType=0x3000, flProtect=0x4) returned 0x1c20000 [0113.824] GetProcessHeap () returned 0x300000 [0113.824] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x3f80) returned 0x3250b0 [0114.053] GetProcessHeap () returned 0x300000 [0114.054] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3250b0 | out: hHeap=0x300000) returned 1 [0114.054] GetCurrentThreadId () returned 0xadc [0114.054] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1cf3d4 | out: lpflOldProtect=0x1cf3d4*=0x20) returned 1 [0114.055] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1cf3d4 | out: lpflOldProtect=0x1cf3d4*=0x40) returned 1 [0114.055] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1cf3d4 | out: lpflOldProtect=0x1cf3d4*=0x20) returned 1 [0114.055] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1cf3d4 | out: lpflOldProtect=0x1cf3d4*=0x40) returned 1 [0114.056] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1cf3d4 | out: lpflOldProtect=0x1cf3d4*=0x20) returned 1 [0114.056] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1cf3d4 | out: lpflOldProtect=0x1cf3d4*=0x40) returned 1 [0114.056] LoadLibraryW (lpLibFileName="gdiplus.dll") returned 0x1d80000 [0114.057] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ce244 | out: lpflOldProtect=0x1ce244*=0x20) returned 1 [0114.058] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ce244 | out: lpflOldProtect=0x1ce244*=0x40) returned 1 [0114.058] NtOpenFile (in: FileHandle=0x1ce328, DesiredAccess=0x100020, ObjectAttributes=0x1ce378*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1ce3a8, ShareAccess=0x3, OpenOptions=0x21 | out: FileHandle=0x1ce328*=0x70, IoStatusBlock=0x1ce3a8*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0114.240] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ce244 | out: lpflOldProtect=0x1ce244*=0x20) returned 1 [0114.241] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ce244 | out: lpflOldProtect=0x1ce244*=0x40) returned 1 [0114.243] GetCurrentThreadId () returned 0xadc [0114.243] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1cef14 | out: lpflOldProtect=0x1cef14*=0x20) returned 1 [0114.243] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1cef14 | out: lpflOldProtect=0x1cef14*=0x40) returned 1 [0114.244] NtOpenFile (in: FileHandle=0x1cefe0, DesiredAccess=0x100021, ObjectAttributes=0x1cf098*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1cf0c8, ShareAccess=0x5, OpenOptions=0x60 | out: FileHandle=0x1cefe0*=0x74, IoStatusBlock=0x1cf0c8*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0114.244] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1cef04 | out: lpflOldProtect=0x1cef04*=0x20) returned 1 [0114.244] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1cef04 | out: lpflOldProtect=0x1cef04*=0x40) returned 1 [0114.245] GetCurrentThreadId () returned 0xadc [0114.245] NtCreateSection (in: SectionHandle=0x1cefe8, DesiredAccess=0xf, ObjectAttributes=0x0, MaximumSize=0x0, SectionPageProtection=0x10, AllocationAttributes=0x1000000, FileHandle=0x74 | out: SectionHandle=0x1cefe8*=0x78) returned 0x0 [0114.245] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ced94 | out: lpflOldProtect=0x1ced94*=0x20) returned 1 [0114.246] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ced94 | out: lpflOldProtect=0x1ced94*=0x40) returned 1 [0114.246] GetCurrentThreadId () returned 0xadc [0114.246] NtCreateSection (in: SectionHandle=0x1cee78, DesiredAccess=0xe, ObjectAttributes=0x0, MaximumSize=0x1cee70, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x1cee78*=0x7c) returned 0x0 [0114.246] NtMapViewOfSection (in: SectionHandle=0x7c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1cee18*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x1cf038*=0x0, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x1cee18*=0x1d80000, SectionOffset=0x0, ViewSize=0x1cf038*=0x161000) returned 0x0 [0114.488] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cef18 | out: lpSystemTimeAsFileTime=0x1cef18*(dwLowDateTime=0x38ee9e20, dwHighDateTime=0x1d937fd)) [0114.488] GetCurrentThreadId () returned 0xadc [0114.488] GetCurrentProcessId () returned 0xad8 [0114.488] QueryPerformanceCounter (in: lpPerformanceCount=0x1cef20 | out: lpPerformanceCount=0x1cef20*=3325483922187) returned 1 [0114.578] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0114.578] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0114.579] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0114.579] GetLastError () returned 0x7e [0114.579] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0114.579] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0114.593] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0114.952] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0114.952] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0115.026] GetProcessHeap () returned 0x300000 [0115.050] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0115.051] GetLastError () returned 0x7e [0115.051] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0115.051] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0115.052] GetLastError () returned 0x7e [0115.052] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0115.131] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c8) returned 0x331a80 [0115.131] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0115.155] SetLastError (dwErrCode=0x7e) [0115.223] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1000) returned 0x331e50 [0115.226] GetStartupInfoW (in: lpStartupInfo=0x1ceda0 | out: lpStartupInfo=0x1ceda0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x1)) [0115.226] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0115.226] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0115.226] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0115.249] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"127.0.0.1\"" [0115.249] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"127.0.0.1\"" [0115.318] GetLastError () returned 0x7e [0115.319] SetLastError (dwErrCode=0x7e) [0115.319] GetLastError () returned 0x7e [0115.319] SetLastError (dwErrCode=0x7e) [0115.319] GetACP () returned 0x4e4 [0115.319] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x228) returned 0x333e60 [0115.319] IsValidCodePage (CodePage=0x4e4) returned 1 [0115.319] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1ced70 | out: lpCPInfo=0x1ced70) returned 1 [0115.343] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1ce610 | out: lpCPInfo=0x1ce610) returned 1 [0115.344] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ce630, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0115.344] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ce630, cbMultiByte=256, lpWideCharStr=0x1ce360, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ0") returned 256 [0115.344] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ0", cchSrc=256, lpCharType=0x1ce930 | out: lpCharType=0x1ce930) returned 1 [0115.409] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ce630, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0115.409] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ce630, cbMultiByte=256, lpWideCharStr=0x1ce300, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0115.409] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0115.410] GetLastError () returned 0x7e [0115.410] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0115.410] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0115.410] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ce0f0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0115.410] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x1ce730, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿX\x010", lpUsedDefaultChar=0x0) returned 256 [0115.410] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ce630, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0115.410] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ce630, cbMultiByte=256, lpWideCharStr=0x1ce300, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0115.410] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0115.410] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ce0f0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0115.411] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x1ce830, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0115.411] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x100) returned 0x334090 [0115.411] RtlInitializeSListHead (in: ListHead=0x1ec8410 | out: ListHead=0x1ec8410) [0115.781] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77160000 [0115.781] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0115.781] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0115.781] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0115.781] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0115.781] GetProcAddress (hModule=0x77160000, lpProcName="InitializeCriticalSectionEx") returned 0x77176e50 [0115.781] GetProcAddress (hModule=0x77160000, lpProcName="InitOnceExecuteOnce") returned 0x77165d60 [0115.781] GetProcAddress (hModule=0x77160000, lpProcName="CreateEventExW") returned 0x771ac970 [0115.781] GetProcAddress (hModule=0x77160000, lpProcName="CreateSemaphoreW") returned 0x77168e00 [0115.782] GetProcAddress (hModule=0x77160000, lpProcName="CreateSemaphoreExW") returned 0x771ac8a0 [0115.782] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolTimer") returned 0x77167e90 [0115.782] GetProcAddress (hModule=0x77160000, lpProcName="SetThreadpoolTimer") returned 0x7729b2f0 [0115.782] GetProcAddress (hModule=0x77160000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x7728d8c0 [0115.782] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolTimer") returned 0x7728d620 [0115.782] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolWait") returned 0x771abe60 [0115.782] GetProcAddress (hModule=0x77160000, lpProcName="SetThreadpoolWait") returned 0x7729e170 [0115.782] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolWait") returned 0x7728c540 [0115.782] GetProcAddress (hModule=0x77160000, lpProcName="FlushProcessWriteBuffers") returned 0x772d1f80 [0115.782] GetProcAddress (hModule=0x77160000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x7734ec60 [0115.782] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentProcessorNumber") returned 0x772d0040 [0115.783] GetProcAddress (hModule=0x77160000, lpProcName="CreateSymbolicLinkW") returned 0x771d5af0 [0115.783] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentPackageId") returned 0x0 [0115.783] GetProcAddress (hModule=0x77160000, lpProcName="GetTickCount64") returned 0x77168ac0 [0115.783] GetProcAddress (hModule=0x77160000, lpProcName="GetFileInformationByHandleEx") returned 0x771712f0 [0115.783] GetProcAddress (hModule=0x77160000, lpProcName="SetFileInformationByHandle") returned 0x771ac120 [0115.783] GetProcAddress (hModule=0x77160000, lpProcName="GetSystemTimePreciseAsFileTime") returned 0x0 [0115.783] GetProcAddress (hModule=0x77160000, lpProcName="InitializeConditionVariable") returned 0x772b84f0 [0115.783] GetProcAddress (hModule=0x77160000, lpProcName="WakeConditionVariable") returned 0x7733bab0 [0115.784] GetProcAddress (hModule=0x77160000, lpProcName="WakeAllConditionVariable") returned 0x772a00b0 [0115.784] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableCS") returned 0x771ab610 [0115.784] GetProcAddress (hModule=0x77160000, lpProcName="InitializeSRWLock") returned 0x772b84f0 [0115.784] GetProcAddress (hModule=0x77160000, lpProcName="AcquireSRWLockExclusive") returned 0x772a8020 [0115.784] GetProcAddress (hModule=0x77160000, lpProcName="TryAcquireSRWLockExclusive") returned 0x7732bdd0 [0115.784] GetProcAddress (hModule=0x77160000, lpProcName="ReleaseSRWLockExclusive") returned 0x772a8050 [0115.784] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableSRW") returned 0x771ab5c0 [0115.784] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolWork") returned 0x77165d30 [0115.784] GetProcAddress (hModule=0x77160000, lpProcName="SubmitThreadpoolWork") returned 0x77292330 [0115.784] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolWork") returned 0x772921f0 [0115.784] GetProcAddress (hModule=0x77160000, lpProcName="CompareStringEx") returned 0x771abd60 [0115.785] GetProcAddress (hModule=0x77160000, lpProcName="GetLocaleInfoEx") returned 0x771635e0 [0115.785] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0115.798] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77160000 [0115.798] GetProcAddress (hModule=0x77160000, lpProcName="InitializeConditionVariable") returned 0x772b84f0 [0115.798] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableCS") returned 0x771ab610 [0115.798] GetProcAddress (hModule=0x77160000, lpProcName="WakeAllConditionVariable") returned 0x772a00b0 [0115.799] RtlInitializeConditionVariable () returned 0x772a00b0 [0115.969] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1000) returned 0x3341a0 [0116.062] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x1ec8fb0, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0116.157] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xdd) returned 0x322ee0 [0116.157] GetEnvironmentStringsW () returned 0x3351b0* [0116.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1433, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1433 [0116.157] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x599) returned 0x335cf0 [0116.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1433, lpMultiByteStr=0x335cf0, cbMultiByte=1433, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1433 [0116.158] FreeEnvironmentStringsW (penv=0x3351b0) returned 1 [0116.158] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x128) returned 0x3351b0 [0116.158] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1f) returned 0x325c50 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2b) returned 0x333750 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x31) returned 0x333790 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c) returned 0x3300c0 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x31) returned 0x3337d0 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x18) returned 0x3352e0 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x24) returned 0x325c80 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x14) returned 0x335300 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xd) returned 0x335320 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1a) returned 0x325cb0 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2e) returned 0x333810 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x19) returned 0x325ce0 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x17) returned 0x335340 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xe) returned 0x335360 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xce) returned 0x335380 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3e) returned 0x330110 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1d) returned 0x325d10 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x48) returned 0x330160 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x12) returned 0x335460 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x18) returned 0x335480 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1b) returned 0x325d40 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1e) returned 0x325d70 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x29) returned 0x333850 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1e) returned 0x325da0 [0116.177] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x6b) returned 0x32bdc0 [0116.178] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x17) returned 0x3354a0 [0116.178] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xf) returned 0x3354c0 [0116.178] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x16) returned 0x3354e0 [0116.178] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2a) returned 0x333890 [0116.178] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x29) returned 0x3338d0 [0116.178] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x16) returned 0x3362d0 [0116.178] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x13) returned 0x3362f0 [0116.178] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1f) returned 0x325dd0 [0116.178] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x12) returned 0x336310 [0116.178] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x18) returned 0x336330 [0116.178] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x46) returned 0x3301b0 [0116.178] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335cf0 | out: hHeap=0x300000) returned 1 [0116.779] GetCurrentThread () returned 0xfffffffffffffffe [0116.779] GetThreadTimes (in: hThread=0xfffffffffffffffe, lpCreationTime=0x1cee58, lpExitTime=0x1cee50, lpKernelTime=0x1cee50, lpUserTime=0x1cee50 | out: lpCreationTime=0x1cee58, lpExitTime=0x1cee50, lpKernelTime=0x1cee50, lpUserTime=0x1cee50) returned 1 [0116.779] RtlInitializeSListHead (in: ListHead=0x1ec8aa0 | out: ListHead=0x1ec8aa0) [0116.983] RtlPcToFileHeader (in: PcValue=0x1eafef8, BaseOfImage=0x1ced80 | out: BaseOfImage=0x1ced80*=0x1d80000) returned 0x1d80000 [0117.290] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x50) returned 0x336aa0 [0117.290] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x98 [0117.578] RtlWakeAllConditionVariable () returned 0x772a00b0 [0117.604] RtlWakeAllConditionVariable () returned 0x772a00b0 [0117.604] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x1cecd0 | out: lpWSAData=0x1cecd0) returned 0 [0117.619] RtlWakeAllConditionVariable () returned 0x772a00b0 [0117.619] RtlWakeAllConditionVariable () returned 0x772a00b0 [0117.870] RtlSizeHeap (HeapHandle=0x300000, Flags=0x0, MemoryPointer=0x334090) returned 0x100 [0117.870] RtlReAllocateHeap (Heap=0x300000, Flags=0x0, Ptr=0x334090, Size=0x200) returned 0x335500 [0118.041] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77280000 [0118.041] GetProcAddress (hModule=0x77280000, lpProcName="NtCreateThreadEx") returned 0x772d1d90 [0118.041] GetProcAddress (hModule=0x77280000, lpProcName="RtlNewSecurityObjectWithMultipleInheritance") returned 0x77364540 [0118.041] GetCurrentProcess () returned 0xffffffffffffffff [0118.042] NtCreateThreadEx (in: ThreadHandle=0x1ec9890, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffffffffffff, lpStartAddress=0x77364540, lpParameter=0x0, CreateSuspended=1, StackZeroBits=0x0, SizeOfStackCommit=0x0, SizeOfStackReserve=0x0, lpBytesBuffer=0x0 | out: ThreadHandle=0x1ec9890*=0xb0, lpBytesBuffer=0x0) returned 0x0 [0118.042] GetThreadContext (in: hThread=0xb0, lpContext=0x1cea00 | out: lpContext=0x1cea00*(P1Home=0x336ea0, P2Home=0x30, P3Home=0x10, P4Home=0x7fefd4d30f5, P5Home=0x21, P6Home=0x0, ContextFlags=0x10000b, MxCsr=0x1f80, SegCs=0x33, SegDs=0x33, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x200, Dr0=0x0, Dr1=0x334090, Dr2=0x772d3488, Dr3=0x300230, Dr6=0x300388, Dr7=0xe00fa0001, Rax=0x0, Rcx=0x77364540, Rdx=0x0, Rbx=0x0, Rsp=0x254f8b8, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x772ac500, FltSave.ControlWord=0x27f, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x1f80, FltSave.MxCsr_Mask=0xffff, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x27f, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0x334090, VectorRegister.High=0x334090, VectorControl=0x0, DebugControl=0x1e07129, LastBranchToRip=0x0, LastBranchFromRip=0x1cf3b8, LastExceptionToRip=0x0, LastExceptionFromRip=0x1)) returned 1 [0118.190] SetThreadContext (hThread=0xb0, lpContext=0x1cea00*(P1Home=0x336ea0, P2Home=0x30, P3Home=0x10, P4Home=0x7fefd4d30f5, P5Home=0x21, P6Home=0x0, ContextFlags=0x10000b, MxCsr=0x1f80, SegCs=0x33, SegDs=0x33, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x200, Dr0=0x0, Dr1=0x334090, Dr2=0x772d3488, Dr3=0x300230, Dr6=0x300388, Dr7=0xe00fa0001, Rax=0x0, Rcx=0x1d9365c, Rdx=0x0, Rbx=0x0, Rsp=0x254f8b8, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x772ac500, FltSave.ControlWord=0x27f, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x1f80, FltSave.MxCsr_Mask=0xffff, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x27f, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0x334090, VectorRegister.High=0x334090, VectorControl=0x0, DebugControl=0x1e07129, LastBranchToRip=0x0, LastBranchFromRip=0x1cf3b8, LastExceptionToRip=0x0, LastExceptionFromRip=0x1)) returned 1 [0118.190] ResumeThread (hThread=0xb0) returned 0x1 [0118.196] GetProcAddress (hModule=0x1d80000, lpProcName="setPath") returned 0x1d94604 [0118.196] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x70) returned 0x32be40 [0118.196] SetEvent (hEvent=0x98) returned 1 [0118.216] WaitForSingleObject (hHandle=0xb0, dwMilliseconds=0xffffffff) returned 0x0 [0130.947] RtlExitUserProcess (ExitCode=0x0) [0130.951] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x31cfb0 | out: hHeap=0x300000) returned 1 [0130.952] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x331a80 | out: hHeap=0x300000) returned 1 [0131.116] WSACleanup () returned 0 [0131.284] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32be40 | out: hHeap=0x300000) returned 1 [0131.285] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336aa0 | out: hHeap=0x300000) returned 1 [0131.461] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339660 | out: hHeap=0x300000) returned 1 [0131.476] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3383d0 | out: hHeap=0x300000) returned 1 [0131.478] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336370 | out: hHeap=0x300000) returned 1 [0131.478] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x334090 | out: hHeap=0x300000) returned 1 [0131.478] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x333e10 | out: hHeap=0x300000) returned 1 [0131.629] RtlInterlockedFlushSList (in: ListHead=0x1ec8410 | out: ListHead=0x1ec8410) returned 0x0 [0131.630] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335500 | out: hHeap=0x300000) returned 1 [0131.949] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3341a0 | out: hHeap=0x300000) returned 1 [0131.949] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0131.950] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x350cc0 | out: hHeap=0x300000) returned 1 [0131.950] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3643c0 | out: hHeap=0x300000) returned 1 [0131.951] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3340b0 | out: hHeap=0x300000) returned 1 [0131.951] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3393a0 | out: hHeap=0x300000) returned 1 [0131.952] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x364bb0 | out: hHeap=0x300000) returned 1 [0132.026] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0132.026] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32bfc0 | out: hHeap=0x300000) returned 1 [0132.027] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32c040 | out: hHeap=0x300000) returned 1 [0132.027] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32c0c0 | out: hHeap=0x300000) returned 1 [0132.066] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325c50 | out: hHeap=0x300000) returned 1 [0132.066] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x333750 | out: hHeap=0x300000) returned 1 [0132.104] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x333790 | out: hHeap=0x300000) returned 1 [0132.104] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3300c0 | out: hHeap=0x300000) returned 1 [0132.105] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3337d0 | out: hHeap=0x300000) returned 1 [0132.105] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3352e0 | out: hHeap=0x300000) returned 1 [0132.105] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325c80 | out: hHeap=0x300000) returned 1 [0132.105] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335300 | out: hHeap=0x300000) returned 1 [0132.105] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335320 | out: hHeap=0x300000) returned 1 [0132.106] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325cb0 | out: hHeap=0x300000) returned 1 [0132.106] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x333810 | out: hHeap=0x300000) returned 1 [0132.106] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325ce0 | out: hHeap=0x300000) returned 1 [0132.106] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335340 | out: hHeap=0x300000) returned 1 [0132.106] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335360 | out: hHeap=0x300000) returned 1 [0132.107] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335380 | out: hHeap=0x300000) returned 1 [0132.107] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330110 | out: hHeap=0x300000) returned 1 [0132.107] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325d10 | out: hHeap=0x300000) returned 1 [0132.108] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330160 | out: hHeap=0x300000) returned 1 [0132.108] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335460 | out: hHeap=0x300000) returned 1 [0132.108] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335480 | out: hHeap=0x300000) returned 1 [0132.108] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325d40 | out: hHeap=0x300000) returned 1 [0132.108] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325d70 | out: hHeap=0x300000) returned 1 [0132.108] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x333850 | out: hHeap=0x300000) returned 1 [0132.109] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325da0 | out: hHeap=0x300000) returned 1 [0132.109] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32bdc0 | out: hHeap=0x300000) returned 1 [0132.110] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3354a0 | out: hHeap=0x300000) returned 1 [0132.110] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3354c0 | out: hHeap=0x300000) returned 1 [0132.110] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3354e0 | out: hHeap=0x300000) returned 1 [0132.110] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x333890 | out: hHeap=0x300000) returned 1 [0132.111] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3338d0 | out: hHeap=0x300000) returned 1 [0132.111] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3362d0 | out: hHeap=0x300000) returned 1 [0132.111] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3362f0 | out: hHeap=0x300000) returned 1 [0132.111] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325dd0 | out: hHeap=0x300000) returned 1 [0132.111] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336310 | out: hHeap=0x300000) returned 1 [0132.111] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336330 | out: hHeap=0x300000) returned 1 [0132.111] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3301b0 | out: hHeap=0x300000) returned 1 [0132.112] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3351b0 | out: hHeap=0x300000) returned 1 [0132.113] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x333e60 | out: hHeap=0x300000) returned 1 [0132.113] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x322ee0 | out: hHeap=0x300000) returned 1 [0132.131] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x331e50 | out: hHeap=0x300000) returned 1 [0132.132] FreeLibrary (hLibModule=0x7fefa010000) returned 1 [0132.132] FreeLibrary (hLibModule=0x77160000) returned 1 [0132.180] FreeLibrary (hLibModule=0x7fefa010000) returned 1 [0132.180] FreeLibrary (hLibModule=0x77160000) returned 1 Thread: id = 162 os_tid = 0xe38 [0118.218] GetLastError () returned 0x57 [0118.218] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0118.218] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x78) returned 0x32bec0 [0118.218] SetLastError (dwErrCode=0x57) [0118.218] GetLastError () returned 0x57 [0118.218] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c8) returned 0x335b30 [0118.218] SetLastError (dwErrCode=0x57) [0118.239] LoadLibraryExW (lpLibFileName="api-ms-win-core-sysinfo-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0118.239] GetLastError () returned 0x7e [0118.239] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x254f340 | out: lpSystemTimeAsFileTime=0x254f340*(dwLowDateTime=0x3ac84fc0, dwHighDateTime=0x1d937fd)) [0118.240] GetLastError () returned 0x7e [0118.240] SetLastError (dwErrCode=0x7e) [0118.240] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0118.240] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x70) returned 0x32bf40 [0118.452] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x260) returned 0x335f00 [0118.806] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0118.806] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x38) returned 0x333e10 [0119.054] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x2) returned 0x334090 [0119.055] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x334090 | out: hHeap=0x300000) returned 1 [0119.055] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x2) returned 0x334090 [0119.055] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x3383d0 [0119.076] GetLastError () returned 0x7e [0119.076] SetLastError (dwErrCode=0x7e) [0119.077] GetLastError () returned 0x7e [0119.077] SetLastError (dwErrCode=0x7e) [0119.230] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x158) returned 0x3393a0 [0119.231] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x6a6) returned 0x339500 [0119.231] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339500 | out: hHeap=0x300000) returned 1 [0119.231] GetLastError () returned 0x7e [0119.231] SetLastError (dwErrCode=0x7e) [0119.251] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x6) returned 0x3340b0 [0119.251] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x2) returned 0x3340d0 [0119.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x4) returned 0x3340f0 [0119.421] GetLastError () returned 0x7e [0119.421] SetLastError (dwErrCode=0x7e) [0119.421] GetLastError () returned 0x7e [0119.421] SetLastError (dwErrCode=0x7e) [0119.421] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x158) returned 0x339500 [0119.421] GetLastError () returned 0x7e [0119.421] SetLastError (dwErrCode=0x7e) [0119.607] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x6a6) returned 0x339660 [0119.608] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339660 | out: hHeap=0x300000) returned 1 [0119.608] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3340b0 | out: hHeap=0x300000) returned 1 [0119.609] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3393a0 | out: hHeap=0x300000) returned 1 [0119.609] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3340f0 | out: hHeap=0x300000) returned 1 [0119.609] GetLastError () returned 0x7e [0119.609] SetLastError (dwErrCode=0x7e) [0119.609] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x6) returned 0x3340b0 [0119.609] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x2) returned 0x3340f0 [0119.609] GetLastError () returned 0x7e [0119.609] SetLastError (dwErrCode=0x7e) [0119.609] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x200) returned 0x339660 [0119.609] GetLastError () returned 0x7e [0119.609] SetLastError (dwErrCode=0x7e) [0119.609] GetLastError () returned 0x7e [0119.609] SetLastError (dwErrCode=0x7e) [0119.609] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x4) returned 0x334110 [0119.609] GetLastError () returned 0x7e [0119.609] SetLastError (dwErrCode=0x7e) [0119.609] GetLastError () returned 0x7e [0119.609] SetLastError (dwErrCode=0x7e) [0119.609] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x158) returned 0x3393a0 [0119.610] GetLastError () returned 0x7e [0119.610] SetLastError (dwErrCode=0x7e) [0119.610] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x6a6) returned 0x339870 [0119.610] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339870 | out: hHeap=0x300000) returned 1 [0119.610] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3340b0 | out: hHeap=0x300000) returned 1 [0119.611] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339500 | out: hHeap=0x300000) returned 1 [0119.611] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x334110 | out: hHeap=0x300000) returned 1 [0119.611] GetLastError () returned 0x7e [0119.611] SetLastError (dwErrCode=0x7e) [0119.611] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x6) returned 0x3340b0 [0119.611] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3340f0 | out: hHeap=0x300000) returned 1 [0119.611] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3340d0 | out: hHeap=0x300000) returned 1 [0119.611] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336370 [0119.611] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.611] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x25a) returned 0x339870 [0119.625] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.637] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e90 [0119.637] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325ec0 [0119.637] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.638] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e90 | out: hHeap=0x300000) returned 1 [0119.638] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e90 [0119.638] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x60) returned 0x32d5e0 [0119.639] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.639] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x80) returned 0x3340d0 [0119.639] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32d5e0 | out: hHeap=0x300000) returned 1 [0119.639] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325ef0 [0119.639] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xc0) returned 0x336170 [0119.640] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3340d0 | out: hHeap=0x300000) returned 1 [0119.640] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325f20 [0119.640] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325f50 [0119.640] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x120) returned 0x339500 [0119.640] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336170 | out: hHeap=0x300000) returned 1 [0119.640] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325f80 [0119.640] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325fb0 [0119.640] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x1a0) returned 0x339ae0 [0119.641] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339500 | out: hHeap=0x300000) returned 1 [0119.641] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325fe0 [0119.641] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x326010 [0119.641] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x326040 [0119.641] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x326070 [0119.641] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x260) returned 0x339c90 [0119.641] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339ae0 | out: hHeap=0x300000) returned 1 [0119.641] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x3260a0 [0119.641] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x3260d0 [0119.641] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x326100 [0119.641] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x326130 [0119.642] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x326160 [0119.642] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x339f30 [0119.642] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x380) returned 0x33ab00 [0119.642] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339c90 | out: hHeap=0x300000) returned 1 [0119.642] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x339f60 [0119.643] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x339f90 [0119.643] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x339fc0 [0119.643] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x339ff0 [0119.643] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a020 [0119.643] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a050 [0119.643] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a080 [0119.643] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a0b0 [0119.643] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a0e0 [0119.643] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x540) returned 0x33ae90 [0119.644] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33ab00 | out: hHeap=0x300000) returned 1 [0119.644] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a110 [0119.644] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a140 [0119.644] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a170 [0119.644] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a1a0 [0119.644] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x33a1d0 [0119.644] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.645] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339870 | out: hHeap=0x300000) returned 1 [0119.645] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.645] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.645] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.645] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.645] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0119.645] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.645] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.646] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.646] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.646] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.646] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.646] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330250 [0119.646] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.646] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.646] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.646] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0119.646] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.646] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.647] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.647] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.647] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.647] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.647] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x80) returned 0x3340d0 [0119.648] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330250 | out: hHeap=0x300000) returned 1 [0119.648] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.648] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.649] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.649] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xf) returned 0x3363b0 [0119.649] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.649] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.649] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.649] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.649] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.649] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.649] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xc0) returned 0x336170 [0119.650] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3340d0 | out: hHeap=0x300000) returned 1 [0119.650] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.650] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.651] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.651] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3363b0 [0119.651] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.651] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.651] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.858] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.858] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.858] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.858] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x100) returned 0x339500 [0119.858] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336170 | out: hHeap=0x300000) returned 1 [0119.859] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.859] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.859] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.859] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x13) returned 0x3363b0 [0119.859] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.859] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.860] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.860] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.860] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.860] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.860] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x180) returned 0x33ab00 [0119.861] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339500 | out: hHeap=0x300000) returned 1 [0119.861] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.861] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.861] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.861] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0119.862] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.862] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.862] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.862] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.862] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.862] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.863] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.863] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.863] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.863] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3363b0 [0119.863] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.864] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.864] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.864] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.864] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.864] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.864] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x240) returned 0x339870 [0119.865] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33ab00 | out: hHeap=0x300000) returned 1 [0119.866] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.866] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.866] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.866] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xe) returned 0x3363b0 [0119.866] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.866] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.866] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.867] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.867] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.867] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.867] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.867] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.867] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.868] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0119.868] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.868] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.868] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.868] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.868] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.868] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.869] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.869] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.869] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.869] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0119.869] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.869] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.870] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.872] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.872] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.872] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.872] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x340) returned 0x33ab00 [0119.873] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339870 | out: hHeap=0x300000) returned 1 [0119.873] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.873] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.873] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.873] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x13) returned 0x3363b0 [0119.873] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.873] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.874] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.874] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.874] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.874] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.875] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.875] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.875] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.875] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0119.875] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.875] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.875] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.875] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.878] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.878] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.878] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.879] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.879] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.879] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x13) returned 0x3363b0 [0119.879] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.879] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.879] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.879] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.879] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.879] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.880] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.880] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.881] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.881] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0119.881] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.881] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.881] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.881] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.881] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.881] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.881] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x4c0) returned 0x339870 [0119.881] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33ab00 | out: hHeap=0x300000) returned 1 [0119.882] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.882] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.882] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.882] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0119.882] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.882] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.883] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.883] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.883] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.883] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.884] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.884] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.884] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.884] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0119.884] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.884] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.885] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.885] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.885] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.885] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.885] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.885] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.889] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.889] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3363b0 [0119.889] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.889] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.890] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.890] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.890] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.890] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.890] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.890] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.891] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.891] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3363b0 [0119.891] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.891] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.891] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.892] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.892] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.892] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.892] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.892] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.893] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.893] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0119.893] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.893] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.893] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.893] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.893] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.894] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.894] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.894] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.894] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.894] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0119.895] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.895] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.895] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.895] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.895] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.895] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.895] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x700) returned 0x33b3e0 [0119.896] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339870 | out: hHeap=0x300000) returned 1 [0119.896] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.896] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.897] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.897] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0119.897] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.897] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.897] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.897] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.897] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.897] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.898] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.898] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.898] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.898] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0119.898] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.898] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.899] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.899] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.899] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.899] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.899] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0119.900] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0119.900] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0119.900] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0119.900] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0119.900] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0119.901] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0119.901] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0119.901] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0119.901] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0119.901] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0120.155] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0120.155] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0120.155] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0120.155] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0120.155] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0120.156] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0120.156] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0120.156] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0120.156] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0120.156] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0120.156] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0120.156] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0120.156] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0120.156] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0120.156] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0120.157] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0120.157] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0120.157] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0120.157] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0120.157] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0120.157] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0120.157] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0120.157] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3363b0 [0120.157] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0120.157] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0120.158] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0120.158] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0120.158] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0120.158] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0120.158] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0120.158] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0120.158] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0120.158] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0120.158] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0120.158] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0120.159] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0120.159] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0120.159] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0120.159] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0120.159] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0120.159] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0120.159] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0120.159] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0120.159] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0120.159] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0120.160] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0120.160] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0120.160] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0120.160] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0120.160] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0120.160] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0120.160] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0120.161] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x13) returned 0x3363b0 [0120.161] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0120.161] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0120.161] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0120.161] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0120.161] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0120.161] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0120.161] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xa80) returned 0x33baf0 [0120.162] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33b3e0 | out: hHeap=0x300000) returned 1 [0120.162] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0120.162] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0120.162] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0120.162] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x3363b0 [0120.162] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0120.162] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0120.163] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0120.163] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0120.163] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0120.163] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0120.163] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0120.163] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0120.163] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0120.163] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x11) returned 0x3363b0 [0120.163] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0120.163] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0120.164] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0120.164] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0120.164] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0120.164] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0120.164] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0120.164] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0120.164] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0120.164] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x13) returned 0x3363b0 [0120.165] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0120.165] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0120.165] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0120.165] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0120.165] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0120.165] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0120.165] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0120.165] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336350 [0120.165] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x336390 [0120.166] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x12) returned 0x3363b0 [0120.166] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x325e60 [0120.166] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x330200 [0120.166] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e60 | out: hHeap=0x300000) returned 1 [0120.166] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3363b0 | out: hHeap=0x300000) returned 1 [0120.166] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336390 | out: hHeap=0x300000) returned 1 [0120.166] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336350 | out: hHeap=0x300000) returned 1 [0120.166] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x330200 | out: hHeap=0x300000) returned 1 [0120.167] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325ec0 | out: hHeap=0x300000) returned 1 [0120.169] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325e90 | out: hHeap=0x300000) returned 1 [0120.169] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325ef0 | out: hHeap=0x300000) returned 1 [0120.170] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325f20 | out: hHeap=0x300000) returned 1 [0120.170] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325f50 | out: hHeap=0x300000) returned 1 [0120.170] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325f80 | out: hHeap=0x300000) returned 1 [0120.171] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325fb0 | out: hHeap=0x300000) returned 1 [0120.171] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x325fe0 | out: hHeap=0x300000) returned 1 [0120.171] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326010 | out: hHeap=0x300000) returned 1 [0120.172] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326040 | out: hHeap=0x300000) returned 1 [0120.172] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326070 | out: hHeap=0x300000) returned 1 [0120.173] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3260a0 | out: hHeap=0x300000) returned 1 [0120.173] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3260d0 | out: hHeap=0x300000) returned 1 [0120.174] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326100 | out: hHeap=0x300000) returned 1 [0120.174] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326130 | out: hHeap=0x300000) returned 1 [0120.175] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326160 | out: hHeap=0x300000) returned 1 [0120.175] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339f30 | out: hHeap=0x300000) returned 1 [0120.175] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339f60 | out: hHeap=0x300000) returned 1 [0120.175] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339f90 | out: hHeap=0x300000) returned 1 [0120.176] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339fc0 | out: hHeap=0x300000) returned 1 [0120.176] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x339ff0 | out: hHeap=0x300000) returned 1 [0120.176] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a020 | out: hHeap=0x300000) returned 1 [0120.177] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a050 | out: hHeap=0x300000) returned 1 [0120.177] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a080 | out: hHeap=0x300000) returned 1 [0120.177] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a0b0 | out: hHeap=0x300000) returned 1 [0120.178] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a0e0 | out: hHeap=0x300000) returned 1 [0120.178] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a110 | out: hHeap=0x300000) returned 1 [0120.178] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a140 | out: hHeap=0x300000) returned 1 [0120.179] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a170 | out: hHeap=0x300000) returned 1 [0120.179] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a1a0 | out: hHeap=0x300000) returned 1 [0120.180] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33a1d0 | out: hHeap=0x300000) returned 1 [0120.180] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33ae90 | out: hHeap=0x300000) returned 1 [0120.180] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335f00 | out: hHeap=0x300000) returned 1 [0120.180] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0120.342] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0124.928] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77280000 [0124.928] GetProcAddress (hModule=0x77280000, lpProcName="ZwAllocateVirtualMemory") returned 0x772d1490 [0124.928] GetProcAddress (hModule=0x77280000, lpProcName="ZwWriteVirtualMemory") returned 0x772d16b0 [0124.928] GetProcAddress (hModule=0x77280000, lpProcName="ZwReadVirtualMemory") returned 0x772d1700 [0124.928] GetProcAddress (hModule=0x77280000, lpProcName="ZwGetContextThread") returned 0x772d1fe0 [0124.928] GetProcAddress (hModule=0x77280000, lpProcName="ZwSetContextThread") returned 0x772d2840 [0124.942] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x347ff0 [0125.042] CoCreateInstance (in: rclsid=0x1e657e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1e657f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x254f1f0 | out: ppv=0x254f1f0*=0x3366d0) returned 0x0 [0125.065] WbemLocator:IWbemLocator:ConnectServer (in: This=0x3366d0, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x254f1e8 | out: ppNamespace=0x254f1e8*=0x365f20) returned 0x0 [0126.132] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x7fefd730000 [0126.132] GetProcAddress (hModule=0x7fefd730000, lpProcName="CoSetProxyBlanket") returned 0x7fefd76bf00 [0126.132] CoSetProxyBlanket (pProxy=0x365f20, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0126.155] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x18) returned 0x3369d0 [0126.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x347ff0, cbMultiByte=35, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 35 [0126.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x347ff0, cbMultiByte=35, lpWideCharStr=0x254f0e0, cchWideChar=35 | out: lpWideCharStr="SELECT * FROM Win32_ComputerSystem") returned 35 [0126.258] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x18) returned 0x3369f0 [0126.258] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e7b258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0126.258] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e7b258, cbMultiByte=4, lpWideCharStr=0x254f120, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0126.258] IWbemServices:ExecQuery (in: This=0x365f20, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystem", lFlags=48, pCtx=0x0, ppEnum=0x254f1f8 | out: ppEnum=0x254f1f8*=0x36a4d0) returned 0x0 [0126.373] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3369f0 | out: hHeap=0x300000) returned 1 [0126.373] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3369d0 | out: hHeap=0x300000) returned 1 [0126.373] IEnumWbemClassObject:Next (in: This=0x36a4d0, lTimeout=-1, uCount=0x1, apObjects=0x254f200, puReturned=0x254f318 | out: apObjects=0x254f200*=0x36e2e0, puReturned=0x254f318*=0x1) returned 0x0 [0126.549] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x254f350, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0126.670] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x254f350, cbMultiByte=4, lpWideCharStr=0x254f118, cchWideChar=4 | out: lpWideCharStr="Name") returned 4 [0126.797] IWbemClassObject:Get (in: This=0x36e2e0, wszName="Name", lFlags=0, pVal=0x254f2a0*(varType=0x0, wReserved1=0x34, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x254f2a0*(varType=0x8, wReserved1=0x34, wReserved2=0x0, wReserved3=0x0, varVal1="Q9IATRKPRH", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0126.810] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x34bca0 [0126.810] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Q9IATRKPRH", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0126.911] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Q9IATRKPRH", cchWideChar=10, lpMultiByteStr=0x254f138, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Q9IATRKPRH", lpUsedDefaultChar=0x0) returned 10 [0126.928] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x34bca0 | out: hHeap=0x300000) returned 1 [0126.928] IUnknown:Release (This=0x36e2e0) returned 0x0 [0126.928] WbemLocator:IUnknown:Release (This=0x365f20) returned 0x0 [0126.999] WbemLocator:IUnknown:Release (This=0x3366d0) returned 0x0 [0127.000] IUnknown:Release (This=0x36a4d0) returned 0x0 [0127.016] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x347ff0 | out: hHeap=0x300000) returned 1 [0127.031] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x347ff0 [0127.031] CoCreateInstance (in: rclsid=0x1e657e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1e657f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x254f1f0 | out: ppv=0x254f1f0*=0x3369f0) returned 0x0 [0127.031] WbemLocator:IWbemLocator:ConnectServer (in: This=0x3369f0, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x254f1e8 | out: ppNamespace=0x254f1e8*=0x365f20) returned 0x0 [0127.223] CoSetProxyBlanket (pProxy=0x365f20, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0127.224] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x18) returned 0x336a50 [0127.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x347ff0, cbMultiByte=42, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 42 [0127.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x347ff0, cbMultiByte=42, lpWideCharStr=0x254f0d0, cchWideChar=42 | out: lpWideCharStr="SELECT * FROM Win32_ComputerSystemProduct") returned 42 [0127.224] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x18) returned 0x3366d0 [0127.224] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e7b258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0127.225] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e7b258, cbMultiByte=4, lpWideCharStr=0x254f120, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0127.225] IWbemServices:ExecQuery (in: This=0x365f20, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystemProduct", lFlags=48, pCtx=0x0, ppEnum=0x254f1f8 | out: ppEnum=0x254f1f8*=0x36a4d0) returned 0x0 [0127.227] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3366d0 | out: hHeap=0x300000) returned 1 [0127.228] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x336a50 | out: hHeap=0x300000) returned 1 [0127.228] IEnumWbemClassObject:Next (in: This=0x36a4d0, lTimeout=-1, uCount=0x1, apObjects=0x254f200, puReturned=0x254f318 | out: apObjects=0x254f200*=0x36c250, puReturned=0x254f318*=0x1) returned 0x0 [0127.409] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x254f350, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0127.409] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x254f350, cbMultiByte=4, lpWideCharStr=0x254f118, cchWideChar=4 | out: lpWideCharStr="UUID") returned 4 [0127.409] IWbemClassObject:Get (in: This=0x36c250, wszName="UUID", lFlags=0, pVal=0x254f2a0*(varType=0x0, wReserved1=0x34, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x254f2a0*(varType=0x8, wReserved1=0x34, wReserved2=0x0, wReserved3=0x0, varVal1="4C4C4544-0050-3710-8058-CAC04F59344A", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0127.409] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x50) returned 0x3476d0 [0127.409] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4C4C4544-0050-3710-8058-CAC04F59344A", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0127.409] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x35dd00 [0127.409] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4C4C4544-0050-3710-8058-CAC04F59344A", cchWideChar=36, lpMultiByteStr=0x35dd00, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="4C4C4544-0050-3710-8058-CAC04F59344A", lpUsedDefaultChar=0x0) returned 36 [0127.410] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3476d0 | out: hHeap=0x300000) returned 1 [0127.410] IUnknown:Release (This=0x36c250) returned 0x0 [0127.410] WbemLocator:IUnknown:Release (This=0x365f20) returned 0x0 [0127.411] WbemLocator:IUnknown:Release (This=0x3369f0) returned 0x0 [0127.411] IUnknown:Release (This=0x36a4d0) returned 0x0 [0127.417] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x347ff0 | out: hHeap=0x300000) returned 1 [0127.417] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x347ff0 [0127.795] GetLastError () returned 0x0 [0127.795] SetLastError (dwErrCode=0x0) [0127.936] GetLastError () returned 0x0 [0127.936] SetLastError (dwErrCode=0x0) [0127.936] GetLastError () returned 0x0 [0127.936] SetLastError (dwErrCode=0x0) [0127.936] GetLastError () returned 0x0 [0127.936] SetLastError (dwErrCode=0x0) [0127.936] GetLastError () returned 0x0 [0127.936] SetLastError (dwErrCode=0x0) [0127.936] GetLastError () returned 0x0 [0127.936] SetLastError (dwErrCode=0x0) [0127.936] GetLastError () returned 0x0 [0127.936] SetLastError (dwErrCode=0x0) [0127.937] GetLastError () returned 0x0 [0127.937] SetLastError (dwErrCode=0x0) [0127.937] GetLastError () returned 0x0 [0127.937] SetLastError (dwErrCode=0x0) [0127.937] GetLastError () returned 0x0 [0127.937] SetLastError (dwErrCode=0x0) [0127.937] GetLastError () returned 0x0 [0127.937] SetLastError (dwErrCode=0x0) [0127.937] GetLastError () returned 0x0 [0127.937] SetLastError (dwErrCode=0x0) [0127.937] GetLastError () returned 0x0 [0127.937] SetLastError (dwErrCode=0x0) [0127.937] GetLastError () returned 0x0 [0127.937] SetLastError (dwErrCode=0x0) [0127.937] GetLastError () returned 0x0 [0127.937] SetLastError (dwErrCode=0x0) [0127.937] GetLastError () returned 0x0 [0127.937] SetLastError (dwErrCode=0x0) [0127.937] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x35dcc0 [0127.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x35dcc0, cbMultiByte=32, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 32 [0127.938] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x50) returned 0x3473d0 [0127.938] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x35dcc0, cbMultiByte=32, lpWideCharStr=0x3473d0, cchWideChar=32 | out: lpWideCharStr="aa360b8ffe2aca5f0f5c1f9ffd6f6a58") returned 32 [0127.938] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="aa360b8ffe2aca5f0f5c1f9ffd6f6a58") returned 0x17c [0127.938] GetLastError () returned 0xb7 [0127.938] CloseHandle (hObject=0x17c) returned 1 [0127.939] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3473d0 | out: hHeap=0x300000) returned 1 [0127.939] CoUninitialize () [0128.222] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x35dcc0 | out: hHeap=0x300000) returned 1 [0128.223] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x347ff0 | out: hHeap=0x300000) returned 1 [0128.223] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x35dd00 | out: hHeap=0x300000) returned 1 [0128.352] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x33baf0 | out: hHeap=0x300000) returned 1 [0128.353] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32bf40 | out: hHeap=0x300000) returned 1 [0128.354] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32bec0 | out: hHeap=0x300000) returned 1 [0128.355] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x335b30 | out: hHeap=0x300000) returned 1 Thread: id = 172 os_tid = 0x7c0 Thread: id = 173 os_tid = 0x1d8 [0125.133] GetLastError () returned 0x57 [0125.133] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x78) returned 0x32bfc0 [0125.133] SetLastError (dwErrCode=0x57) [0125.133] GetLastError () returned 0x57 [0125.134] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c8) returned 0x350cc0 [0125.134] SetLastError (dwErrCode=0x57) Thread: id = 175 os_tid = 0x720 [0125.601] GetLastError () returned 0x57 [0125.702] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x78) returned 0x32c040 [0125.702] SetLastError (dwErrCode=0x57) [0125.716] GetLastError () returned 0x57 [0125.728] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c8) returned 0x3643c0 [0125.843] SetLastError (dwErrCode=0x57) Thread: id = 176 os_tid = 0x738 [0125.943] GetLastError () returned 0x57 [0125.943] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x78) returned 0x32c0c0 [0125.943] SetLastError (dwErrCode=0x57) [0125.943] GetLastError () returned 0x57 [0125.943] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c8) returned 0x364bb0 [0125.943] SetLastError (dwErrCode=0x57) Process: id = "28" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x3db0e000" os_pid = "0xb14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"127.0.0.1\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1581 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1582 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1583 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1584 start_va = 0xb0000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 1585 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1586 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1587 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1588 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 1589 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1590 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1591 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 1592 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1593 start_va = 0x1b0000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1594 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1595 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1596 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1597 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1598 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1599 start_va = 0x1b0000 end_va = 0x216fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1600 start_va = 0x3a0000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 1601 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1602 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1603 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1604 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1605 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1606 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1607 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1608 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1609 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1610 start_va = 0x220000 end_va = 0x2bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 1611 start_va = 0x4a0000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 1612 start_va = 0x50000 end_va = 0x78fff monitored = 0 entry_point = 0x51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1613 start_va = 0x5a0000 end_va = 0x727fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 1614 start_va = 0x50000 end_va = 0x78fff monitored = 0 entry_point = 0x51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1615 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1616 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1617 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1618 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1619 start_va = 0x730000 end_va = 0x8b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 1620 start_va = 0x8c0000 end_va = 0x1cbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 1626 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1627 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 1628 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1643 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1644 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Thread: id = 59 os_tid = 0xb18 [0082.543] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afd58 | out: lpSystemTimeAsFileTime=0x1afd58*(dwLowDateTime=0x29d63ce0, dwHighDateTime=0x1d937fd)) [0082.543] GetCurrentThreadId () returned 0xb18 [0082.543] GetCurrentProcessId () returned 0xb14 [0082.543] QueryPerformanceCounter (in: lpPerformanceCount=0x1afd60 | out: lpPerformanceCount=0x1afd60*=3321682641157) returned 1 [0082.544] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0082.546] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0082.547] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0082.547] GetLastError () returned 0x7e [0082.547] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0082.547] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0082.548] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0082.548] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0082.548] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0082.549] GetProcessHeap () returned 0x3a0000 [0082.549] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0082.549] GetLastError () returned 0x7e [0082.549] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0082.549] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0082.550] GetLastError () returned 0x7e [0082.550] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0082.550] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0082.550] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x3c8) returned 0x3bcfb0 [0082.550] SetLastError (dwErrCode=0x7e) [0082.550] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x1200) returned 0x3bd380 [0082.553] GetStartupInfoW (in: lpStartupInfo=0x1afc30 | out: lpStartupInfo=0x1afc30*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x1afcb8, hStdError=0x1)) [0082.553] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0082.553] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0082.553] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0082.553] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"127.0.0.1\"" [0082.553] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"127.0.0.1\"" [0082.553] GetACP () returned 0x4e4 [0082.553] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x0, Size=0x228) returned 0x3bab90 [0082.553] IsValidCodePage (CodePage=0x4e4) returned 1 [0082.553] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1afbf0 | out: lpCPInfo=0x1afbf0) returned 1 [0082.553] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1af490 | out: lpCPInfo=0x1af490) returned 1 [0082.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1af4b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0082.553] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1af4b0, cbMultiByte=256, lpWideCharStr=0x1af1e0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0082.553] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x1af7b0 | out: lpCharType=0x1af7b0) returned 1 [0082.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1af4b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0082.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1af4b0, cbMultiByte=256, lpWideCharStr=0x1af180, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0082.554] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0082.554] GetLastError () returned 0x7e [0082.554] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0082.554] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0082.555] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1aef70, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0082.555] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x1af5b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«;", lpUsedDefaultChar=0x0) returned 256 [0082.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1af4b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0082.555] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1af4b0, cbMultiByte=256, lpWideCharStr=0x1af180, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0082.555] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0082.555] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1aef70, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0082.555] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x1af6b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0082.555] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x0, Size=0x100) returned 0x3bf590 [0082.556] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0082.556] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x18e) returned 0x3bf6a0 [0082.556] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0082.556] GetLastError () returned 0x0 [0082.556] SetLastError (dwErrCode=0x0) [0082.556] GetEnvironmentStringsW () returned 0x3bf840* [0082.556] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x0, Size=0xb32) returned 0x3c0380 [0082.556] FreeEnvironmentStringsW (penv=0x3bf840) returned 1 [0082.556] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x128) returned 0x3bf840 [0082.556] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x3e) returned 0x3bafe0 [0082.556] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x56) returned 0x3badc0 [0082.556] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x62) returned 0x3c0ec0 [0082.556] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x78) returned 0x3c0f30 [0082.556] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x62) returned 0x3bf970 [0082.556] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x30) returned 0x3be900 [0082.556] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x48) returned 0x3bb030 [0082.556] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x28) returned 0x3b79a0 [0082.556] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x1a) returned 0x3b79d0 [0082.556] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x34) returned 0x3be940 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x5c) returned 0x3bf9e0 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x32) returned 0x3be980 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x2e) returned 0x3be9c0 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x1c) returned 0x3b7a00 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x19c) returned 0x3bfa50 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x7c) returned 0x3bfc00 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x3a) returned 0x3bb080 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x90) returned 0x3bfc90 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x24) returned 0x3b7a30 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x30) returned 0x3bea00 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x36) returned 0x3bea40 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x3c) returned 0x3bb0d0 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x52) returned 0x3bfd30 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x3c) returned 0x3bb120 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0xd6) returned 0x3bfd90 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x2e) returned 0x3bea80 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x1e) returned 0x3b7a60 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x2c) returned 0x3beac0 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x54) returned 0x3bfe70 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x52) returned 0x3bfed0 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x2c) returned 0x3beb00 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x26) returned 0x3b7a90 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x3e) returned 0x3bb170 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x24) returned 0x3b7ac0 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x30) returned 0x3beb40 [0082.557] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x8c) returned 0x3bff30 [0082.558] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3c0380 | out: hHeap=0x3a0000) returned 1 [0082.558] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x8, Size=0x1000) returned 0x3c0fb0 [0082.558] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0082.558] GetStartupInfoW (in: lpStartupInfo=0x1afcc0 | out: lpStartupInfo=0x1afcc0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0082.559] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"127.0.0.1\"" [0082.559] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"127.0.0.1\"", pNumArgs=0x1afc90 | out: pNumArgs=0x1afc90) returned 0x3c0450*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0082.559] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0082.565] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x0, Size=0x1000) returned 0x3c40a0 [0082.565] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x0, Size=0x12) returned 0x3c0e80 [0082.565] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="FPH732n7", cchWideChar=-1, lpMultiByteStr=0x3c0e80, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FPH732n7", lpUsedDefaultChar=0x0) returned 9 [0082.565] GetLastError () returned 0x0 [0082.565] SetLastError (dwErrCode=0x0) [0082.565] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7W") returned 0x0 [0082.565] GetLastError () returned 0x7f [0082.566] SetLastError (dwErrCode=0x7f) [0082.566] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7A") returned 0x0 [0082.566] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7") returned 0x7fef2eb1cf0 [0082.566] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0x0, Size=0x14) returned 0x3c0ea0 [0082.566] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="127.0.0.1", cchWideChar=-1, lpMultiByteStr=0x3c0ea0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="127.0.0.1", lpUsedDefaultChar=0x0) returned 10 [0082.566] GetActiveWindow () returned 0x0 [0082.978] GetLastError () returned 0x7f [0082.978] SetLastError (dwErrCode=0x7f) Process: id = "29" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x3e019000" os_pid = "0xb3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"127.0.0.1\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1655 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1656 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1657 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1658 start_va = 0x70000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1659 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1660 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1661 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1662 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 1663 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1664 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1665 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 1666 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 1667 start_va = 0x170000 end_va = 0x36ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 1668 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1669 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1670 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1671 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1672 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1673 start_va = 0x170000 end_va = 0x1d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1674 start_va = 0x270000 end_va = 0x36ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 1675 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1676 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1677 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1678 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1679 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1680 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1681 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1682 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1683 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1684 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1685 start_va = 0x370000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 1690 start_va = 0x1e0000 end_va = 0x208fff monitored = 0 entry_point = 0x1e1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1691 start_va = 0x470000 end_va = 0x5f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 1692 start_va = 0x1e0000 end_va = 0x208fff monitored = 0 entry_point = 0x1e1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1693 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1694 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1695 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1696 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1697 start_va = 0x600000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 1698 start_va = 0x790000 end_va = 0x1b8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 1699 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 1700 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 1701 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1703 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1704 start_va = 0x200000 end_va = 0x200fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2630 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2631 start_va = 0x200000 end_va = 0x200fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Thread: id = 62 os_tid = 0xb40 [0087.575] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fa18 | out: lpSystemTimeAsFileTime=0x16fa18*(dwLowDateTime=0x2baa87b0, dwHighDateTime=0x1d937fd)) [0087.575] GetCurrentThreadId () returned 0xb40 [0087.575] GetCurrentProcessId () returned 0xb3c [0087.575] QueryPerformanceCounter (in: lpPerformanceCount=0x16fa20 | out: lpPerformanceCount=0x16fa20*=3322185790644) returned 1 [0087.575] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0087.581] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0087.582] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0087.582] GetLastError () returned 0x7e [0087.582] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0087.582] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0087.583] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0087.583] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0087.583] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0087.584] GetProcessHeap () returned 0x270000 [0087.584] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0087.584] GetLastError () returned 0x7e [0087.584] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0087.584] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0087.584] GetLastError () returned 0x7e [0087.584] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0087.584] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0087.585] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x3c8) returned 0x28cfb0 [0087.585] SetLastError (dwErrCode=0x7e) [0087.585] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1200) returned 0x28d380 [0087.587] GetStartupInfoW (in: lpStartupInfo=0x16f8f0 | out: lpStartupInfo=0x16f8f0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x16f978, hStdError=0x1)) [0087.587] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0087.587] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0087.587] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0087.587] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"127.0.0.1\"" [0087.587] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"127.0.0.1\"" [0087.587] GetACP () returned 0x4e4 [0087.588] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x0, Size=0x228) returned 0x28ab90 [0087.588] IsValidCodePage (CodePage=0x4e4) returned 1 [0087.588] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x16f8b0 | out: lpCPInfo=0x16f8b0) returned 1 [0087.588] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x16f150 | out: lpCPInfo=0x16f150) returned 1 [0087.588] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f170, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0087.588] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f170, cbMultiByte=256, lpWideCharStr=0x16eea0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0087.588] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x16f470 | out: lpCharType=0x16f470) returned 1 [0087.588] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f170, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0087.588] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f170, cbMultiByte=256, lpWideCharStr=0x16ee40, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0087.588] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0087.588] GetLastError () returned 0x7e [0087.588] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0087.589] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0087.589] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x16ec30, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0087.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x16f270, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«(", lpUsedDefaultChar=0x0) returned 256 [0087.589] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f170, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0087.589] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f170, cbMultiByte=256, lpWideCharStr=0x16ee40, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0087.589] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0087.589] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x16ec30, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0087.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x16f370, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0087.589] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x0, Size=0x100) returned 0x28f590 [0087.589] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0087.589] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x18e) returned 0x28f6a0 [0087.590] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0087.590] GetLastError () returned 0x0 [0087.590] SetLastError (dwErrCode=0x0) [0087.590] GetEnvironmentStringsW () returned 0x28f840* [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x0, Size=0xb32) returned 0x290380 [0087.590] FreeEnvironmentStringsW (penv=0x28f840) returned 1 [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x128) returned 0x28f840 [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x3e) returned 0x28afe0 [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x56) returned 0x28adc0 [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x62) returned 0x290ec0 [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x78) returned 0x290f30 [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x62) returned 0x28f970 [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x30) returned 0x28e900 [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x48) returned 0x28b030 [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x28) returned 0x2879a0 [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1a) returned 0x2879d0 [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x34) returned 0x28e940 [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x5c) returned 0x28f9e0 [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x32) returned 0x28e980 [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x2e) returned 0x28e9c0 [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1c) returned 0x287a00 [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x19c) returned 0x28fa50 [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x7c) returned 0x28fc00 [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x3a) returned 0x28b080 [0087.590] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x90) returned 0x28fc90 [0087.591] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x24) returned 0x287a30 [0087.591] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x30) returned 0x28ea00 [0087.591] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x36) returned 0x28ea40 [0087.591] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x3c) returned 0x28b0d0 [0087.591] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x52) returned 0x28fd30 [0087.591] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x3c) returned 0x28b120 [0087.591] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0xd6) returned 0x28fd90 [0087.591] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x2e) returned 0x28ea80 [0087.591] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1e) returned 0x287a60 [0087.591] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x2c) returned 0x28eac0 [0087.591] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x54) returned 0x28fe70 [0087.591] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x52) returned 0x28fed0 [0087.591] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x2c) returned 0x28eb00 [0087.591] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x26) returned 0x287a90 [0087.591] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x3e) returned 0x28b170 [0087.591] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x24) returned 0x287ac0 [0087.591] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x30) returned 0x28eb40 [0087.591] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x8c) returned 0x28ff30 [0087.592] HeapFree (in: hHeap=0x270000, dwFlags=0x0, lpMem=0x290380 | out: hHeap=0x270000) returned 1 [0087.592] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x8, Size=0x1000) returned 0x290fb0 [0087.592] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0087.592] GetStartupInfoW (in: lpStartupInfo=0x16f980 | out: lpStartupInfo=0x16f980*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0087.592] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"127.0.0.1\"" [0087.592] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"127.0.0.1\"", pNumArgs=0x16f950 | out: pNumArgs=0x16f950) returned 0x290450*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0087.592] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0087.598] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x0, Size=0x1000) returned 0x2940a0 [0087.598] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x0, Size=0x12) returned 0x290e80 [0087.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="KlXWgB9j", cchWideChar=-1, lpMultiByteStr=0x290e80, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="KlXWgB9j", lpUsedDefaultChar=0x0) returned 9 [0087.598] GetLastError () returned 0x0 [0087.598] SetLastError (dwErrCode=0x0) [0087.599] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9jW") returned 0x0 [0087.599] GetLastError () returned 0x7f [0087.599] SetLastError (dwErrCode=0x7f) [0087.599] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9jA") returned 0x0 [0087.599] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9j") returned 0x7fef2eb0010 [0087.599] RtlAllocateHeap (HeapHandle=0x270000, Flags=0x0, Size=0x14) returned 0x290ea0 [0087.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="127.0.0.1", cchWideChar=-1, lpMultiByteStr=0x290ea0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="127.0.0.1", lpUsedDefaultChar=0x0) returned 10 [0087.599] GetActiveWindow () returned 0x0 [0087.920] GetLastError () returned 0x7f [0087.920] SetLastError (dwErrCode=0x7f) Process: id = "30" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7818000" os_pid = "0x368" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "2" os_parent_pid = "0x1cc" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d9b2" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1717 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1718 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 1719 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1720 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1721 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1722 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1723 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1724 start_va = 0x80000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 1725 start_va = 0x90000 end_va = 0x90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 1726 start_va = 0xa0000 end_va = 0xa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 1727 start_va = 0xb0000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 1728 start_va = 0x130000 end_va = 0x196fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1729 start_va = 0x1a0000 end_va = 0x1aafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "gpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui") Region: id = 1730 start_va = 0x1b0000 end_va = 0x1bcfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 1731 start_va = 0x1c0000 end_va = 0x2bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1732 start_va = 0x2c0000 end_va = 0x3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 1733 start_va = 0x3c0000 end_va = 0x547fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 1734 start_va = 0x550000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 1735 start_va = 0x6e0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 1736 start_va = 0x7a0000 end_va = 0x7a3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskcomp.dll.mui" filename = "\\Windows\\System32\\en-US\\taskcomp.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\taskcomp.dll.mui") Region: id = 1737 start_va = 0x7b0000 end_va = 0x7b9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "schedsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\schedsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\schedsvc.dll.mui") Region: id = 1738 start_va = 0x7c0000 end_va = 0x7c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 1739 start_va = 0x7d0000 end_va = 0x7dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 1740 start_va = 0x7e0000 end_va = 0x7e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 1741 start_va = 0x7f0000 end_va = 0x7f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1742 start_va = 0x800000 end_va = 0x800fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 1743 start_va = 0x810000 end_va = 0x829fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 1744 start_va = 0x830000 end_va = 0x830fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 1745 start_va = 0x840000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 1746 start_va = 0x850000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 1747 start_va = 0x860000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1748 start_va = 0x8e0000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 1749 start_va = 0x960000 end_va = 0x961fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 1750 start_va = 0x970000 end_va = 0x9effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 1751 start_va = 0x9f0000 end_va = 0x9f3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1752 start_va = 0xa00000 end_va = 0xa01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 1753 start_va = 0xa10000 end_va = 0xa13fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1754 start_va = 0xa20000 end_va = 0xa2dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 1755 start_va = 0xa30000 end_va = 0xaaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 1756 start_va = 0xab0000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000015.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000015.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000015.db") Region: id = 1757 start_va = 0xae0000 end_va = 0xae7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 1758 start_va = 0xaf0000 end_va = 0xb6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 1759 start_va = 0xb70000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 1760 start_va = 0xb80000 end_va = 0xb80fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml3r.dll" filename = "\\Windows\\System32\\msxml3r.dll" (normalized: "c:\\windows\\system32\\msxml3r.dll") Region: id = 1761 start_va = 0xb90000 end_va = 0xbaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 1762 start_va = 0xbb0000 end_va = 0xbb2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wuaueng.dll.mui" filename = "\\Windows\\System32\\en-US\\wuaueng.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wuaueng.dll.mui") Region: id = 1763 start_va = 0xbc0000 end_va = 0xbc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 1764 start_va = 0xc00000 end_va = 0xecefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1765 start_va = 0xed0000 end_va = 0xf35fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 1766 start_va = 0xf40000 end_va = 0xf47fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 1767 start_va = 0xf50000 end_va = 0xfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 1768 start_va = 0xfd0000 end_va = 0xfdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 1769 start_va = 0xfe0000 end_va = 0x105ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 1770 start_va = 0x1060000 end_va = 0x107bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 1771 start_va = 0x1080000 end_va = 0x108ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 1772 start_va = 0x1090000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 1773 start_va = 0x10a0000 end_va = 0x10a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 1774 start_va = 0x10b0000 end_va = 0x112ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 1775 start_va = 0x1130000 end_va = 0x1131fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 1776 start_va = 0x1140000 end_va = 0x1140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001140000" filename = "" Region: id = 1777 start_va = 0x1150000 end_va = 0x115ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 1778 start_va = 0x1160000 end_va = 0x1167fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001160000" filename = "" Region: id = 1779 start_va = 0x1170000 end_va = 0x11effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001170000" filename = "" Region: id = 1780 start_va = 0x11f0000 end_va = 0x11fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 1781 start_va = 0x1200000 end_va = 0x120ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 1782 start_va = 0x1210000 end_va = 0x121ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001210000" filename = "" Region: id = 1783 start_va = 0x1220000 end_va = 0x122ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1784 start_va = 0x1230000 end_va = 0x123ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1785 start_va = 0x1240000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 1786 start_va = 0x12c0000 end_va = 0x12c7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 1787 start_va = 0x12d0000 end_va = 0x12dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 1788 start_va = 0x12e0000 end_va = 0x12effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 1789 start_va = 0x12f0000 end_va = 0x12f7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012f0000" filename = "" Region: id = 1790 start_va = 0x1300000 end_va = 0x130ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 1791 start_va = 0x1310000 end_va = 0x131ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 1792 start_va = 0x1320000 end_va = 0x139ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001320000" filename = "" Region: id = 1793 start_va = 0x13a0000 end_va = 0x13a5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netcfgx.dll.mui" filename = "\\Windows\\System32\\en-US\\netcfgx.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netcfgx.dll.mui") Region: id = 1794 start_va = 0x13b0000 end_va = 0x142ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013b0000" filename = "" Region: id = 1795 start_va = 0x1430000 end_va = 0x143ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001430000" filename = "" Region: id = 1796 start_va = 0x1440000 end_va = 0x144ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001440000" filename = "" Region: id = 1797 start_va = 0x1450000 end_va = 0x145ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001450000" filename = "" Region: id = 1798 start_va = 0x1460000 end_va = 0x146ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001460000" filename = "" Region: id = 1799 start_va = 0x1470000 end_va = 0x147ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001470000" filename = "" Region: id = 1800 start_va = 0x1480000 end_va = 0x148ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001480000" filename = "" Region: id = 1801 start_va = 0x1490000 end_va = 0x1490fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshtcpip.dll.mui" filename = "\\Windows\\System32\\en-US\\wshtcpip.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wshtcpip.dll.mui") Region: id = 1802 start_va = 0x14a0000 end_va = 0x14a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wship6.dll.mui" filename = "\\Windows\\System32\\en-US\\wship6.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wship6.dll.mui") Region: id = 1803 start_va = 0x14b0000 end_va = 0x14b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000014b0000" filename = "" Region: id = 1804 start_va = 0x1540000 end_va = 0x15bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001540000" filename = "" Region: id = 1805 start_va = 0x15e0000 end_va = 0x165ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 1806 start_va = 0x1690000 end_va = 0x170ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001690000" filename = "" Region: id = 1807 start_va = 0x17a0000 end_va = 0x181ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000017a0000" filename = "" Region: id = 1808 start_va = 0x1820000 end_va = 0x182ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001820000" filename = "" Region: id = 1809 start_va = 0x1830000 end_va = 0x183ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001830000" filename = "" Region: id = 1810 start_va = 0x1840000 end_va = 0x184ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001840000" filename = "" Region: id = 1811 start_va = 0x1850000 end_va = 0x185ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001850000" filename = "" Region: id = 1812 start_va = 0x1860000 end_va = 0x186ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001860000" filename = "" Region: id = 1813 start_va = 0x1870000 end_va = 0x187ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001870000" filename = "" Region: id = 1814 start_va = 0x1880000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001880000" filename = "" Region: id = 1815 start_va = 0x1950000 end_va = 0x19cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001950000" filename = "" Region: id = 1816 start_va = 0x19f0000 end_va = 0x1a6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019f0000" filename = "" Region: id = 1817 start_va = 0x1ac0000 end_va = 0x1b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ac0000" filename = "" Region: id = 1818 start_va = 0x1bb0000 end_va = 0x1c2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001bb0000" filename = "" Region: id = 1819 start_va = 0x1c30000 end_va = 0x1d2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c30000" filename = "" Region: id = 1820 start_va = 0x1d30000 end_va = 0x1e2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d30000" filename = "" Region: id = 1821 start_va = 0x1e30000 end_va = 0x1eaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e30000" filename = "" Region: id = 1822 start_va = 0x1eb0000 end_va = 0x1f2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001eb0000" filename = "" Region: id = 1823 start_va = 0x1f60000 end_va = 0x1fdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 1824 start_va = 0x2020000 end_va = 0x209ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002020000" filename = "" Region: id = 1825 start_va = 0x2100000 end_va = 0x217ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 1826 start_va = 0x21f0000 end_va = 0x226ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021f0000" filename = "" Region: id = 1827 start_va = 0x2280000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002280000" filename = "" Region: id = 1828 start_va = 0x2300000 end_va = 0x23fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002300000" filename = "" Region: id = 1829 start_va = 0x24a0000 end_va = 0x251ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024a0000" filename = "" Region: id = 1830 start_va = 0x2520000 end_va = 0x261ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002520000" filename = "" Region: id = 1831 start_va = 0x2630000 end_va = 0x26affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1832 start_va = 0x26d0000 end_va = 0x26dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026d0000" filename = "" Region: id = 1833 start_va = 0x26e0000 end_va = 0x27dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026e0000" filename = "" Region: id = 1834 start_va = 0x2830000 end_va = 0x283ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002830000" filename = "" Region: id = 1835 start_va = 0x28b0000 end_va = 0x292ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028b0000" filename = "" Region: id = 1836 start_va = 0x2980000 end_va = 0x29fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002980000" filename = "" Region: id = 1837 start_va = 0x2a10000 end_va = 0x2a8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a10000" filename = "" Region: id = 1838 start_va = 0x2b40000 end_va = 0x2bbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 1839 start_va = 0x2ce0000 end_va = 0x2d5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ce0000" filename = "" Region: id = 1840 start_va = 0x2d60000 end_va = 0x2e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d60000" filename = "" Region: id = 1841 start_va = 0x2e60000 end_va = 0x305ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e60000" filename = "" Region: id = 1842 start_va = 0x3060000 end_va = 0x315ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003060000" filename = "" Region: id = 1843 start_va = 0x3180000 end_va = 0x31fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 1844 start_va = 0x3200000 end_va = 0x327ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 1845 start_va = 0x3290000 end_va = 0x32cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003290000" filename = "" Region: id = 1846 start_va = 0x32d0000 end_va = 0x330ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000032d0000" filename = "" Region: id = 1847 start_va = 0x3320000 end_va = 0x339ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003320000" filename = "" Region: id = 1848 start_va = 0x3430000 end_va = 0x34affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 1849 start_va = 0x3520000 end_va = 0x359ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003520000" filename = "" Region: id = 1850 start_va = 0x35a0000 end_va = 0x399ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035a0000" filename = "" Region: id = 1851 start_va = 0x3a30000 end_va = 0x3aaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a30000" filename = "" Region: id = 1852 start_va = 0x3ae0000 end_va = 0x3b9ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1853 start_va = 0x3c60000 end_va = 0x3d5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c60000" filename = "" Region: id = 1854 start_va = 0x3d60000 end_va = 0x3e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d60000" filename = "" Region: id = 1855 start_va = 0x3e60000 end_va = 0x3f5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e60000" filename = "" Region: id = 1856 start_va = 0x3f60000 end_va = 0x405ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f60000" filename = "" Region: id = 1857 start_va = 0x4060000 end_va = 0x415ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004060000" filename = "" Region: id = 1858 start_va = 0x4220000 end_va = 0x429ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004220000" filename = "" Region: id = 1859 start_va = 0x42a0000 end_va = 0x439ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042a0000" filename = "" Region: id = 1860 start_va = 0x43a0000 end_va = 0x539ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000043a0000" filename = "" Region: id = 1861 start_va = 0x5410000 end_va = 0x548ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005410000" filename = "" Region: id = 1862 start_va = 0x5490000 end_va = 0x550ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005490000" filename = "" Region: id = 1863 start_va = 0x55e0000 end_va = 0x565ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000055e0000" filename = "" Region: id = 1864 start_va = 0x5a10000 end_va = 0x5a8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a10000" filename = "" Region: id = 1865 start_va = 0x5a90000 end_va = 0x5b0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a90000" filename = "" Region: id = 1866 start_va = 0x5b50000 end_va = 0x5bcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005b50000" filename = "" Region: id = 1867 start_va = 0x5cc0000 end_va = 0x5d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005cc0000" filename = "" Region: id = 1868 start_va = 0x5d40000 end_va = 0x5dbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d40000" filename = "" Region: id = 1869 start_va = 0x5e20000 end_va = 0x5e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005e20000" filename = "" Region: id = 1870 start_va = 0x5f40000 end_va = 0x613ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f40000" filename = "" Region: id = 1871 start_va = 0x6140000 end_va = 0x61bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006140000" filename = "" Region: id = 1872 start_va = 0x61f0000 end_va = 0x626ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000061f0000" filename = "" Region: id = 1873 start_va = 0x62d0000 end_va = 0x634ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062d0000" filename = "" Region: id = 1874 start_va = 0x6360000 end_va = 0x63dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006360000" filename = "" Region: id = 1875 start_va = 0x6460000 end_va = 0x64dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006460000" filename = "" Region: id = 1876 start_va = 0x6510000 end_va = 0x658ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006510000" filename = "" Region: id = 1877 start_va = 0x6650000 end_va = 0x66cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006650000" filename = "" Region: id = 1878 start_va = 0x66f0000 end_va = 0x676ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066f0000" filename = "" Region: id = 1879 start_va = 0x6770000 end_va = 0x6b6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006770000" filename = "" Region: id = 1880 start_va = 0x6c90000 end_va = 0x6d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006c90000" filename = "" Region: id = 1881 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1882 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1883 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1884 start_va = 0x77450000 end_va = 0x77456fff monitored = 0 entry_point = 0x7745106c region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 1885 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1886 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1887 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1888 start_va = 0xff110000 end_va = 0xff11afff monitored = 0 entry_point = 0xff11246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1889 start_va = 0x7fef2940000 end_va = 0x7fef2b13fff monitored = 0 entry_point = 0x7fef2976b00 region_type = mapped_file name = "msxml3.dll" filename = "\\Windows\\System32\\msxml3.dll" (normalized: "c:\\windows\\system32\\msxml3.dll") Region: id = 1890 start_va = 0x7fef3340000 end_va = 0x7fef3381fff monitored = 0 entry_point = 0x7fef3370048 region_type = mapped_file name = "tcpipcfg.dll" filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll") Region: id = 1891 start_va = 0x7fef3480000 end_va = 0x7fef3499fff monitored = 0 entry_point = 0x7fef3491ae4 region_type = mapped_file name = "rascfg.dll" filename = "\\Windows\\System32\\rascfg.dll" (normalized: "c:\\windows\\system32\\rascfg.dll") Region: id = 1892 start_va = 0x7fef3570000 end_va = 0x7fef37c2fff monitored = 0 entry_point = 0x7fef357236c region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 1893 start_va = 0x7fef3cc0000 end_va = 0x7fef3ccefff monitored = 0 entry_point = 0x7fef3cc6894 region_type = mapped_file name = "ndiscapcfg.dll" filename = "\\Windows\\System32\\ndiscapCfg.dll" (normalized: "c:\\windows\\system32\\ndiscapcfg.dll") Region: id = 1894 start_va = 0x7fef3cf0000 end_va = 0x7fef3d34fff monitored = 0 entry_point = 0x7fef3d23644 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 1895 start_va = 0x7fef3d40000 end_va = 0x7fef3d51fff monitored = 0 entry_point = 0x7fef3d490bc region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 1896 start_va = 0x7fef3d60000 end_va = 0x7fef3d69fff monitored = 0 entry_point = 0x7fef3d63994 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 1897 start_va = 0x7fef3d70000 end_va = 0x7fef3e41fff monitored = 0 entry_point = 0x7fef3e01a10 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 1898 start_va = 0x7fef5c80000 end_va = 0x7fef5c9bfff monitored = 0 entry_point = 0x7fef5c811a0 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 1899 start_va = 0x7fef5ca0000 end_va = 0x7fef5d01fff monitored = 0 entry_point = 0x7fef5ca1198 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 1900 start_va = 0x7fef5d10000 end_va = 0x7fef5d49fff monitored = 0 entry_point = 0x7fef5d11010 region_type = mapped_file name = "mprapi.dll" filename = "\\Windows\\System32\\mprapi.dll" (normalized: "c:\\windows\\system32\\mprapi.dll") Region: id = 1901 start_va = 0x7fef6c80000 end_va = 0x7fef6ef9fff monitored = 0 entry_point = 0x7fef6cb2200 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 1902 start_va = 0x7fef6f00000 end_va = 0x7fef6f16fff monitored = 0 entry_point = 0x7fef6f09d50 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 1903 start_va = 0x7fef6f70000 end_va = 0x7fef6f8cfff monitored = 0 entry_point = 0x7fef6f72f18 region_type = mapped_file name = "mmcss.dll" filename = "\\Windows\\System32\\mmcss.dll" (normalized: "c:\\windows\\system32\\mmcss.dll") Region: id = 1904 start_va = 0x7fef7080000 end_va = 0x7fef716dfff monitored = 0 entry_point = 0x7fef70812a0 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 1905 start_va = 0x7fef8aa0000 end_va = 0x7fef8b1bfff monitored = 0 entry_point = 0x7fef8aa11d4 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 1906 start_va = 0x7fef8c00000 end_va = 0x7fef8c0bfff monitored = 0 entry_point = 0x7fef8c0602c region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 1907 start_va = 0x7fef8c10000 end_va = 0x7fef8c1efff monitored = 0 entry_point = 0x7fef8c19a48 region_type = mapped_file name = "mspatcha.dll" filename = "\\Windows\\System32\\mspatcha.dll" (normalized: "c:\\windows\\system32\\mspatcha.dll") Region: id = 1908 start_va = 0x7fef8c20000 end_va = 0x7fef8c3afff monitored = 0 entry_point = 0x7fef8c21198 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 1909 start_va = 0x7fef8ed0000 end_va = 0x7fef8ed7fff monitored = 0 entry_point = 0x7fef8ed1414 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1910 start_va = 0x7fef8ee0000 end_va = 0x7fef8f50fff monitored = 0 entry_point = 0x7fef8f251d0 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 1911 start_va = 0x7fef8f60000 end_va = 0x7fef8f71fff monitored = 0 entry_point = 0x7fef8f689d0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 1912 start_va = 0x7fef8f80000 end_va = 0x7fef9034fff monitored = 0 entry_point = 0x7fef8ffcf80 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 1913 start_va = 0x7fef9040000 end_va = 0x7fef9058fff monitored = 0 entry_point = 0x7fef9041104 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 1914 start_va = 0x7fef9060000 end_va = 0x7fef90affff monitored = 0 entry_point = 0x7fef9061190 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 1915 start_va = 0x7fef90b0000 end_va = 0x7fef90b7fff monitored = 0 entry_point = 0x7fef90b1020 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 1916 start_va = 0x7fef90c0000 end_va = 0x7fef9119fff monitored = 0 entry_point = 0x7fef90fdde0 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 1917 start_va = 0x7fef9120000 end_va = 0x7fef9140fff monitored = 0 entry_point = 0x7fef91303b0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 1918 start_va = 0x7fef9150000 end_va = 0x7fef91c3fff monitored = 0 entry_point = 0x7fef91566f0 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 1919 start_va = 0x7fef91d0000 end_va = 0x7fef923afff monitored = 0 entry_point = 0x7fef9214344 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 1920 start_va = 0x7fef9240000 end_va = 0x7fef9252fff monitored = 0 entry_point = 0x7fef9241d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1921 start_va = 0x7fef9260000 end_va = 0x7fef92c1fff monitored = 0 entry_point = 0x7fef929bd80 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 1922 start_va = 0x7fef92d0000 end_va = 0x7fef93fbfff monitored = 0 entry_point = 0x7fef9380ef0 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 1923 start_va = 0x7fef9400000 end_va = 0x7fef9419fff monitored = 0 entry_point = 0x7fef9413fbc region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 1924 start_va = 0x7fef9420000 end_va = 0x7fef94a3fff monitored = 0 entry_point = 0x7fef9471118 region_type = mapped_file name = "netcfgx.dll" filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll") Region: id = 1925 start_va = 0x7fef94b0000 end_va = 0x7fef94d4fff monitored = 0 entry_point = 0x7fef94c8c54 region_type = mapped_file name = "browser.dll" filename = "\\Windows\\System32\\browser.dll" (normalized: "c:\\windows\\system32\\browser.dll") Region: id = 1926 start_va = 0x7fef94e0000 end_va = 0x7fef951cfff monitored = 0 entry_point = 0x7fef94e1070 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 1927 start_va = 0x7fef9520000 end_va = 0x7fef952dfff monitored = 0 entry_point = 0x7fef9525500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1928 start_va = 0x7fef9530000 end_va = 0x7fef9556fff monitored = 0 entry_point = 0x7fef95311a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 1929 start_va = 0x7fef9560000 end_va = 0x7fef9632fff monitored = 0 entry_point = 0x7fef95d8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1930 start_va = 0x7fef9680000 end_va = 0x7fef96c6fff monitored = 0 entry_point = 0x7fef9681040 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 1931 start_va = 0x7fef96d0000 end_va = 0x7fef9711fff monitored = 0 entry_point = 0x7fef96d17e4 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 1932 start_va = 0x7fef9720000 end_va = 0x7fef97b1fff monitored = 0 entry_point = 0x7fef97951ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 1933 start_va = 0x7fef97c0000 end_va = 0x7fef9836fff monitored = 0 entry_point = 0x7fef97fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 1934 start_va = 0x7fef9840000 end_va = 0x7fef9879fff monitored = 0 entry_point = 0x7fef985d020 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 1935 start_va = 0x7fef9b30000 end_va = 0x7fef9b40fff monitored = 0 entry_point = 0x7fef9b39e7c region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 1936 start_va = 0x7fef9b50000 end_va = 0x7fef9bb3fff monitored = 0 entry_point = 0x7fef9b51254 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 1937 start_va = 0x7fef9bc0000 end_va = 0x7fef9c30fff monitored = 0 entry_point = 0x7fef9bc1010 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1938 start_va = 0x7fef9cf0000 end_va = 0x7fef9d06fff monitored = 0 entry_point = 0x7fef9cf1060 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 1939 start_va = 0x7fef9d10000 end_va = 0x7fef9ebffff monitored = 0 entry_point = 0x7fef9d11010 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 1940 start_va = 0x7fefa1a0000 end_va = 0x7fefa1a8fff monitored = 0 entry_point = 0x7fefa1a11a0 region_type = mapped_file name = "tschannel.dll" filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll") Region: id = 1941 start_va = 0x7fefa3b0000 end_va = 0x7fefa426fff monitored = 0 entry_point = 0x7fefa3bafd0 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 1942 start_va = 0x7fefa430000 end_va = 0x7fefa439fff monitored = 0 entry_point = 0x7fefa43260c region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 1943 start_va = 0x7fefa440000 end_va = 0x7fefa551fff monitored = 0 entry_point = 0x7fefa45f354 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 1944 start_va = 0x7fefa560000 end_va = 0x7fefa56efff monitored = 0 entry_point = 0x7fefa567e80 region_type = mapped_file name = "wiarpc.dll" filename = "\\Windows\\System32\\wiarpc.dll" (normalized: "c:\\windows\\system32\\wiarpc.dll") Region: id = 1945 start_va = 0x7fefa570000 end_va = 0x7fefa578fff monitored = 0 entry_point = 0x7fefa573668 region_type = mapped_file name = "fvecerts.dll" filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll") Region: id = 1946 start_va = 0x7fefa580000 end_va = 0x7fefa588fff monitored = 0 entry_point = 0x7fefa581020 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 1947 start_va = 0x7fefa590000 end_va = 0x7fefa5e5fff monitored = 0 entry_point = 0x7fefa591040 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 1948 start_va = 0x7fefa5f0000 end_va = 0x7fefa64dfff monitored = 0 entry_point = 0x7fefa5f9024 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 1949 start_va = 0x7fefa650000 end_va = 0x7fefa667fff monitored = 0 entry_point = 0x7fefa651bf8 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1950 start_va = 0x7fefa670000 end_va = 0x7fefa680fff monitored = 0 entry_point = 0x7fefa6716ac region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1951 start_va = 0x7fefa6a0000 end_va = 0x7fefa6f2fff monitored = 0 entry_point = 0x7fefa6a2b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1952 start_va = 0x7fefa710000 end_va = 0x7fefa724fff monitored = 0 entry_point = 0x7fefa711020 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 1953 start_va = 0x7fefac90000 end_va = 0x7fefaca3fff monitored = 0 entry_point = 0x7fefac93e64 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 1954 start_va = 0x7fefacb0000 end_va = 0x7fefacbafff monitored = 0 entry_point = 0x7fefacb1198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1955 start_va = 0x7fefacc0000 end_va = 0x7feface6fff monitored = 0 entry_point = 0x7fefacc98bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1956 start_va = 0x7fefacf0000 end_va = 0x7fefad56fff monitored = 0 entry_point = 0x7fefad06060 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1957 start_va = 0x7fefad70000 end_va = 0x7fefad7afff monitored = 0 entry_point = 0x7fefad74f8c region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 1958 start_va = 0x7fefad80000 end_va = 0x7fefad8bfff monitored = 0 entry_point = 0x7fefad815d8 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1959 start_va = 0x7fefad90000 end_va = 0x7fefad9ffff monitored = 0 entry_point = 0x7fefad9835c region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 1960 start_va = 0x7fefada0000 end_va = 0x7fefadb8fff monitored = 0 entry_point = 0x7fefada11a8 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1961 start_va = 0x7fefadc0000 end_va = 0x7fefadf6fff monitored = 0 entry_point = 0x7fefadc8424 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 1962 start_va = 0x7fefae40000 end_va = 0x7fefae54fff monitored = 0 entry_point = 0x7fefae460d8 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1963 start_va = 0x7fefae60000 end_va = 0x7fefaf21fff monitored = 0 entry_point = 0x7fefae6101c region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 1964 start_va = 0x7fefb160000 end_va = 0x7fefb168fff monitored = 0 entry_point = 0x7fefb161010 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 1965 start_va = 0x7fefb250000 end_va = 0x7fefb27cfff monitored = 0 entry_point = 0x7fefb251010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1966 start_va = 0x7fefb280000 end_va = 0x7fefb290fff monitored = 0 entry_point = 0x7fefb2814c0 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 1967 start_va = 0x7fefb2e0000 end_va = 0x7fefb350fff monitored = 0 entry_point = 0x7fefb31ecc4 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 1968 start_va = 0x7fefb3d0000 end_va = 0x7fefb3e3fff monitored = 0 entry_point = 0x7fefb3d16b4 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1969 start_va = 0x7fefb3f0000 end_va = 0x7fefb404fff monitored = 0 entry_point = 0x7fefb3f1050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1970 start_va = 0x7fefb410000 end_va = 0x7fefb41bfff monitored = 0 entry_point = 0x7fefb4118a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1971 start_va = 0x7fefb420000 end_va = 0x7fefb435fff monitored = 0 entry_point = 0x7fefb4211a0 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1972 start_va = 0x7fefb550000 end_va = 0x7fefb560fff monitored = 0 entry_point = 0x7fefb551070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1973 start_va = 0x7fefb6b0000 end_va = 0x7fefb6e4fff monitored = 0 entry_point = 0x7fefb6b1064 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 1974 start_va = 0x7fefbb20000 end_va = 0x7fefbb75fff monitored = 0 entry_point = 0x7fefbb2bbc0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1975 start_va = 0x7fefbb80000 end_va = 0x7fefbcabfff monitored = 0 entry_point = 0x7fefbb894bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1976 start_va = 0x7fefbcb0000 end_va = 0x7fefbcccfff monitored = 0 entry_point = 0x7fefbcb1ef4 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1977 start_va = 0x7fefbd00000 end_va = 0x7fefbef3fff monitored = 0 entry_point = 0x7fefbe8c924 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 1978 start_va = 0x7fefc390000 end_va = 0x7fefc39bfff monitored = 0 entry_point = 0x7fefc391064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1979 start_va = 0x7fefc3a0000 end_va = 0x7fefc45afff monitored = 0 entry_point = 0x7fefc3a6de0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1980 start_va = 0x7fefc460000 end_va = 0x7fefc466fff monitored = 0 entry_point = 0x7fefc4614b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1981 start_va = 0x7fefc550000 end_va = 0x7fefc56afff monitored = 0 entry_point = 0x7fefc552068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1982 start_va = 0x7fefc570000 end_va = 0x7fefc58dfff monitored = 0 entry_point = 0x7fefc5713b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1983 start_va = 0x7fefc590000 end_va = 0x7fefc5a1fff monitored = 0 entry_point = 0x7fefc591060 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 1984 start_va = 0x7fefc5b0000 end_va = 0x7fefc5cefff monitored = 0 entry_point = 0x7fefc5b5c68 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 1985 start_va = 0x7fefc680000 end_va = 0x7fefc6b8fff monitored = 0 entry_point = 0x7fefc68c0f0 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 1986 start_va = 0x7fefc6c0000 end_va = 0x7fefc6c9fff monitored = 0 entry_point = 0x7fefc6c3cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1987 start_va = 0x7fefc6d0000 end_va = 0x7fefc6dcfff monitored = 0 entry_point = 0x7fefc6d1348 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 1988 start_va = 0x7fefc7c0000 end_va = 0x7fefc806fff monitored = 0 entry_point = 0x7fefc7c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1989 start_va = 0x7fefc8b0000 end_va = 0x7fefc8dffff monitored = 0 entry_point = 0x7fefc8b194c region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1990 start_va = 0x7fefc8e0000 end_va = 0x7fefc93afff monitored = 0 entry_point = 0x7fefc8e6940 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1991 start_va = 0x7fefca50000 end_va = 0x7fefca56fff monitored = 0 entry_point = 0x7fefca5142c region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1992 start_va = 0x7fefca60000 end_va = 0x7fefcab4fff monitored = 0 entry_point = 0x7fefca61054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1993 start_va = 0x7fefcac0000 end_va = 0x7fefcad7fff monitored = 0 entry_point = 0x7fefcac3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1994 start_va = 0x7fefcbd0000 end_va = 0x7fefcc01fff monitored = 0 entry_point = 0x7fefcbd144c region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 1995 start_va = 0x7fefcc10000 end_va = 0x7fefcc17fff monitored = 0 entry_point = 0x7fefcc12a6c region_type = mapped_file name = "wmsgapi.dll" filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll") Region: id = 1996 start_va = 0x7fefcc20000 end_va = 0x7fefcc29fff monitored = 0 entry_point = 0x7fefcc23b40 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 1997 start_va = 0x7fefcc30000 end_va = 0x7fefcc51fff monitored = 0 entry_point = 0x7fefcc35d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1998 start_va = 0x7fefccb0000 end_va = 0x7fefccdefff monitored = 0 entry_point = 0x7fefccb1064 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1999 start_va = 0x7fefccf0000 end_va = 0x7fefcd5cfff monitored = 0 entry_point = 0x7fefccf1010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 2000 start_va = 0x7fefcd60000 end_va = 0x7fefcd73fff monitored = 0 entry_point = 0x7fefcd64160 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 2001 start_va = 0x7fefcfc0000 end_va = 0x7fefcfe2fff monitored = 0 entry_point = 0x7fefcfc1198 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2002 start_va = 0x7fefd060000 end_va = 0x7fefd06afff monitored = 0 entry_point = 0x7fefd061030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2003 start_va = 0x7fefd090000 end_va = 0x7fefd0b4fff monitored = 0 entry_point = 0x7fefd099658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2004 start_va = 0x7fefd0c0000 end_va = 0x7fefd0cefff monitored = 0 entry_point = 0x7fefd0c1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2005 start_va = 0x7fefd0d0000 end_va = 0x7fefd160fff monitored = 0 entry_point = 0x7fefd0d1440 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 2006 start_va = 0x7fefd170000 end_va = 0x7fefd1acfff monitored = 0 entry_point = 0x7fefd1718f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2007 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c3fff monitored = 0 entry_point = 0x7fefd1b10e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2008 start_va = 0x7fefd1d0000 end_va = 0x7fefd1defff monitored = 0 entry_point = 0x7fefd1d19b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2009 start_va = 0x7fefd270000 end_va = 0x7fefd27efff monitored = 0 entry_point = 0x7fefd271020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2010 start_va = 0x7fefd280000 end_va = 0x7fefd2bafff monitored = 0 entry_point = 0x7fefd281324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 2011 start_va = 0x7fefd2c0000 end_va = 0x7fefd42cfff monitored = 0 entry_point = 0x7fefd2c10b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2012 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2013 start_va = 0x7fefd540000 end_va = 0x7fefd575fff monitored = 0 entry_point = 0x7fefd541474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2014 start_va = 0x7fefd580000 end_va = 0x7fefd599fff monitored = 0 entry_point = 0x7fefd581558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2015 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2016 start_va = 0x7fefd6d0000 end_va = 0x7fefd721fff monitored = 0 entry_point = 0x7fefd6d10d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2017 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2018 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2019 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2020 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2021 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2022 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2023 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2024 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2025 start_va = 0x7fefed70000 end_va = 0x7fefed77fff monitored = 0 entry_point = 0x7fefed71504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2026 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2027 start_va = 0x7feff060000 end_va = 0x7feff13afff monitored = 0 entry_point = 0x7feff080760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2028 start_va = 0x7feff140000 end_va = 0x7feff1d8fff monitored = 0 entry_point = 0x7feff141c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2029 start_va = 0x7feff1e0000 end_va = 0x7feff1fefff monitored = 0 entry_point = 0x7feff1e60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2030 start_va = 0x7feff280000 end_va = 0x7feff2ccfff monitored = 0 entry_point = 0x7feff281070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2031 start_va = 0x7feff2d0000 end_va = 0x7feff3a6fff monitored = 0 entry_point = 0x7feff2d3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2032 start_va = 0x7feff3b0000 end_va = 0x7feff586fff monitored = 0 entry_point = 0x7feff3b1010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2033 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2034 start_va = 0x7fffff44000 end_va = 0x7fffff45fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff44000" filename = "" Region: id = 2035 start_va = 0x7fffff46000 end_va = 0x7fffff47fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff46000" filename = "" Region: id = 2036 start_va = 0x7fffff48000 end_va = 0x7fffff49fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff48000" filename = "" Region: id = 2037 start_va = 0x7fffff4a000 end_va = 0x7fffff4bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff4a000" filename = "" Region: id = 2038 start_va = 0x7fffff4c000 end_va = 0x7fffff4dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff4c000" filename = "" Region: id = 2039 start_va = 0x7fffff50000 end_va = 0x7fffff51fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff50000" filename = "" Region: id = 2040 start_va = 0x7fffff52000 end_va = 0x7fffff53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff52000" filename = "" Region: id = 2041 start_va = 0x7fffff54000 end_va = 0x7fffff55fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff54000" filename = "" Region: id = 2042 start_va = 0x7fffff5a000 end_va = 0x7fffff5bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff5a000" filename = "" Region: id = 2043 start_va = 0x7fffff64000 end_va = 0x7fffff65fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff64000" filename = "" Region: id = 2044 start_va = 0x7fffff66000 end_va = 0x7fffff67fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff66000" filename = "" Region: id = 2045 start_va = 0x7fffff68000 end_va = 0x7fffff69fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff68000" filename = "" Region: id = 2046 start_va = 0x7fffff6a000 end_va = 0x7fffff6bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff6a000" filename = "" Region: id = 2047 start_va = 0x7fffff6c000 end_va = 0x7fffff6dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff6c000" filename = "" Region: id = 2048 start_va = 0x7fffff6e000 end_va = 0x7fffff6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff6e000" filename = "" Region: id = 2049 start_va = 0x7fffff70000 end_va = 0x7fffff71fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff70000" filename = "" Region: id = 2050 start_va = 0x7fffff72000 end_va = 0x7fffff73fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff72000" filename = "" Region: id = 2051 start_va = 0x7fffff74000 end_va = 0x7fffff75fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff74000" filename = "" Region: id = 2052 start_va = 0x7fffff80000 end_va = 0x7fffff81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff80000" filename = "" Region: id = 2053 start_va = 0x7fffff82000 end_va = 0x7fffff83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff82000" filename = "" Region: id = 2054 start_va = 0x7fffff88000 end_va = 0x7fffff89fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff88000" filename = "" Region: id = 2055 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 2056 start_va = 0x7fffff8c000 end_va = 0x7fffff8dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8c000" filename = "" Region: id = 2057 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 2058 start_va = 0x7fffff90000 end_va = 0x7fffff91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 2059 start_va = 0x7fffff92000 end_va = 0x7fffff93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 2060 start_va = 0x7fffff94000 end_va = 0x7fffff95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 2061 start_va = 0x7fffff96000 end_va = 0x7fffff97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 2062 start_va = 0x7fffff98000 end_va = 0x7fffff99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 2063 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 2064 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 2065 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 2066 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 2067 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 2068 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 2069 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 2070 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 2071 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 2072 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2073 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2074 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2075 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2076 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2077 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2078 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2079 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2080 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3448 start_va = 0x2c00000 end_va = 0x2c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 3449 start_va = 0x7fffff7e000 end_va = 0x7fffff7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff7e000" filename = "" Region: id = 3451 start_va = 0x1b90000 end_va = 0x1c0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b90000" filename = "" Region: id = 3452 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Thread: id = 66 os_tid = 0x9c4 Thread: id = 67 os_tid = 0x99c Thread: id = 68 os_tid = 0x998 Thread: id = 69 os_tid = 0x980 Thread: id = 70 os_tid = 0x97c Thread: id = 71 os_tid = 0xf6c Thread: id = 72 os_tid = 0xf68 Thread: id = 73 os_tid = 0x968 Thread: id = 74 os_tid = 0x424 Thread: id = 75 os_tid = 0x7a0 Thread: id = 76 os_tid = 0x604 Thread: id = 77 os_tid = 0x394 Thread: id = 78 os_tid = 0x518 Thread: id = 79 os_tid = 0x47c Thread: id = 80 os_tid = 0x62c Thread: id = 81 os_tid = 0x640 Thread: id = 82 os_tid = 0x72c Thread: id = 83 os_tid = 0x610 Thread: id = 84 os_tid = 0x6b4 Thread: id = 85 os_tid = 0x5c4 Thread: id = 86 os_tid = 0x6c4 Thread: id = 87 os_tid = 0x16c Thread: id = 88 os_tid = 0x63c Thread: id = 89 os_tid = 0x780 Thread: id = 90 os_tid = 0x758 Thread: id = 91 os_tid = 0x680 Thread: id = 92 os_tid = 0x304 Thread: id = 93 os_tid = 0x320 Thread: id = 94 os_tid = 0x65c Thread: id = 95 os_tid = 0x624 Thread: id = 96 os_tid = 0x5fc Thread: id = 97 os_tid = 0x5ec Thread: id = 98 os_tid = 0x45c Thread: id = 99 os_tid = 0x458 Thread: id = 100 os_tid = 0x154 Thread: id = 101 os_tid = 0x364 Thread: id = 102 os_tid = 0x454 Thread: id = 103 os_tid = 0x450 Thread: id = 104 os_tid = 0x444 Thread: id = 105 os_tid = 0x1c0 Thread: id = 106 os_tid = 0x3f4 Thread: id = 107 os_tid = 0x3ec Thread: id = 108 os_tid = 0x3e0 Thread: id = 109 os_tid = 0x374 Thread: id = 110 os_tid = 0x36c Thread: id = 139 os_tid = 0xbe4 Thread: id = 140 os_tid = 0xde8 Thread: id = 141 os_tid = 0xbd4 Thread: id = 209 os_tid = 0xec4 Thread: id = 210 os_tid = 0x9cc Process: id = "31" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x4d359000" os_pid = "0xd60" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "30" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0005604d" [0xc000000f] Region: id = 2283 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2284 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2285 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2286 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2287 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2288 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 2289 start_va = 0xd0000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2290 start_va = 0x150000 end_va = 0x24ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2291 start_va = 0x250000 end_va = 0x254fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 2292 start_va = 0x260000 end_va = 0x260fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 2293 start_va = 0x270000 end_va = 0x270fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 2294 start_va = 0x280000 end_va = 0x280fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 2295 start_va = 0x290000 end_va = 0x29cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 2296 start_va = 0x2a0000 end_va = 0x2a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2297 start_va = 0x2c0000 end_va = 0x2c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cimwin32.dll.mui" filename = "\\Windows\\System32\\wbem\\en-US\\cimwin32.dll.mui" (normalized: "c:\\windows\\system32\\wbem\\en-us\\cimwin32.dll.mui") Region: id = 2298 start_va = 0x300000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 2299 start_va = 0x320000 end_va = 0x41ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 2300 start_va = 0x420000 end_va = 0x5a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 2301 start_va = 0x5b0000 end_va = 0x730fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 2302 start_va = 0x740000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 2303 start_va = 0x800000 end_va = 0xacefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2304 start_va = 0xba0000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 2305 start_va = 0xc80000 end_va = 0xcfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 2306 start_va = 0xd40000 end_va = 0xdbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 2307 start_va = 0xde0000 end_va = 0xe5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 2308 start_va = 0xee0000 end_va = 0xf5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 2309 start_va = 0xf80000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 2310 start_va = 0x10b0000 end_va = 0x112ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 2311 start_va = 0x1130000 end_va = 0x122ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 2312 start_va = 0x1260000 end_va = 0x12dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001260000" filename = "" Region: id = 2313 start_va = 0x72580000 end_va = 0x72582fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "security.dll" filename = "\\Windows\\System32\\security.dll" (normalized: "c:\\windows\\system32\\security.dll") Region: id = 2314 start_va = 0x72590000 end_va = 0x72592fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmi.dll" filename = "\\Windows\\System32\\wmi.dll" (normalized: "c:\\windows\\system32\\wmi.dll") Region: id = 2315 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2316 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2317 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2318 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2319 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2320 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2321 start_va = 0x13fd40000 end_va = 0x13fdabfff monitored = 0 entry_point = 0x13fd7b450 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 2322 start_va = 0x7fef1ad0000 end_va = 0x7fef1ae1fff monitored = 0 entry_point = 0x7fef1adaab8 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 2323 start_va = 0x7fef1af0000 end_va = 0x7fef1ce9fff monitored = 1 entry_point = 0x7fef1b04c9c region_type = mapped_file name = "cimwin32.dll" filename = "\\Windows\\System32\\wbem\\cimwin32.dll" (normalized: "c:\\windows\\system32\\wbem\\cimwin32.dll") Region: id = 2324 start_va = 0x7fef31a0000 end_va = 0x7fef31a9fff monitored = 0 entry_point = 0x7fef31a31c8 region_type = mapped_file name = "schedcli.dll" filename = "\\Windows\\System32\\schedcli.dll" (normalized: "c:\\windows\\system32\\schedcli.dll") Region: id = 2325 start_va = 0x7fef43f0000 end_va = 0x7fef441bfff monitored = 0 entry_point = 0x7fef4408194 region_type = mapped_file name = "wmipcima.dll" filename = "\\Windows\\System32\\wbem\\wmipcima.dll" (normalized: "c:\\windows\\system32\\wbem\\wmipcima.dll") Region: id = 2326 start_va = 0x7fef4480000 end_va = 0x7fef44c2fff monitored = 0 entry_point = 0x7fef44a1b50 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 2327 start_va = 0x7fef8f60000 end_va = 0x7fef8f71fff monitored = 0 entry_point = 0x7fef8f689d0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 2328 start_va = 0x7fef9120000 end_va = 0x7fef9140fff monitored = 0 entry_point = 0x7fef91303b0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 2329 start_va = 0x7fef9240000 end_va = 0x7fef9252fff monitored = 0 entry_point = 0x7fef9241d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2330 start_va = 0x7fef9520000 end_va = 0x7fef952dfff monitored = 0 entry_point = 0x7fef9525500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2331 start_va = 0x7fef9530000 end_va = 0x7fef9556fff monitored = 0 entry_point = 0x7fef95311a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 2332 start_va = 0x7fef9560000 end_va = 0x7fef9632fff monitored = 0 entry_point = 0x7fef95d8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2333 start_va = 0x7fef97c0000 end_va = 0x7fef9836fff monitored = 1 entry_point = 0x7fef97fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 2334 start_va = 0x7fefab30000 end_va = 0x7fefab3efff monitored = 0 entry_point = 0x7fefab31040 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 2335 start_va = 0x7fefad80000 end_va = 0x7fefad8bfff monitored = 0 entry_point = 0x7fefad815d8 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 2336 start_va = 0x7fefb170000 end_va = 0x7fefb19bfff monitored = 0 entry_point = 0x7fefb1715c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2337 start_va = 0x7fefb250000 end_va = 0x7fefb27cfff monitored = 0 entry_point = 0x7fefb251010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2338 start_va = 0x7fefb2b0000 end_va = 0x7fefb2b7fff monitored = 0 entry_point = 0x7fefb2b11a0 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 2339 start_va = 0x7fefb3d0000 end_va = 0x7fefb3e3fff monitored = 0 entry_point = 0x7fefb3d16b4 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 2340 start_va = 0x7fefb3f0000 end_va = 0x7fefb404fff monitored = 0 entry_point = 0x7fefb3f1050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2341 start_va = 0x7fefb410000 end_va = 0x7fefb41bfff monitored = 0 entry_point = 0x7fefb4118a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2342 start_va = 0x7fefb420000 end_va = 0x7fefb435fff monitored = 0 entry_point = 0x7fefb4211a0 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2343 start_va = 0x7fefb550000 end_va = 0x7fefb560fff monitored = 0 entry_point = 0x7fefb551070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2344 start_va = 0x7fefc6c0000 end_va = 0x7fefc6c9fff monitored = 0 entry_point = 0x7fefc6c3cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 2345 start_va = 0x7fefc7c0000 end_va = 0x7fefc806fff monitored = 0 entry_point = 0x7fefc7c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2346 start_va = 0x7fefc850000 end_va = 0x7fefc8a6fff monitored = 0 entry_point = 0x7fefc855e38 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 2347 start_va = 0x7fefc8b0000 end_va = 0x7fefc8dffff monitored = 0 entry_point = 0x7fefc8b194c region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 2348 start_va = 0x7fefcac0000 end_va = 0x7fefcad7fff monitored = 0 entry_point = 0x7fefcac3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2349 start_va = 0x7fefcc30000 end_va = 0x7fefcc51fff monitored = 0 entry_point = 0x7fefcc35d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2350 start_va = 0x7fefcfc0000 end_va = 0x7fefcfe2fff monitored = 0 entry_point = 0x7fefcfc1198 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2351 start_va = 0x7fefd060000 end_va = 0x7fefd06afff monitored = 0 entry_point = 0x7fefd061030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2352 start_va = 0x7fefd090000 end_va = 0x7fefd0b4fff monitored = 0 entry_point = 0x7fefd099658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2353 start_va = 0x7fefd0c0000 end_va = 0x7fefd0cefff monitored = 0 entry_point = 0x7fefd0c1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2354 start_va = 0x7fefd170000 end_va = 0x7fefd1acfff monitored = 0 entry_point = 0x7fefd1718f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2355 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c3fff monitored = 0 entry_point = 0x7fefd1b10e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2356 start_va = 0x7fefd270000 end_va = 0x7fefd27efff monitored = 0 entry_point = 0x7fefd271020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2357 start_va = 0x7fefd280000 end_va = 0x7fefd2bafff monitored = 0 entry_point = 0x7fefd281324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 2358 start_va = 0x7fefd2c0000 end_va = 0x7fefd42cfff monitored = 0 entry_point = 0x7fefd2c10b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2359 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2360 start_va = 0x7fefd540000 end_va = 0x7fefd575fff monitored = 0 entry_point = 0x7fefd541474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2361 start_va = 0x7fefd580000 end_va = 0x7fefd599fff monitored = 0 entry_point = 0x7fefd581558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2362 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2363 start_va = 0x7fefd6d0000 end_va = 0x7fefd721fff monitored = 0 entry_point = 0x7fefd6d10d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2364 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2365 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2366 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2367 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2368 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2369 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2370 start_va = 0x7fefed70000 end_va = 0x7fefed77fff monitored = 0 entry_point = 0x7fefed71504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2371 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2372 start_va = 0x7feff060000 end_va = 0x7feff13afff monitored = 0 entry_point = 0x7feff080760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2373 start_va = 0x7feff140000 end_va = 0x7feff1d8fff monitored = 0 entry_point = 0x7feff141c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2374 start_va = 0x7feff1e0000 end_va = 0x7feff1fefff monitored = 0 entry_point = 0x7feff1e60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2375 start_va = 0x7feff280000 end_va = 0x7feff2ccfff monitored = 0 entry_point = 0x7feff281070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2376 start_va = 0x7feff2d0000 end_va = 0x7feff3a6fff monitored = 0 entry_point = 0x7feff2d3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2377 start_va = 0x7feff3b0000 end_va = 0x7feff586fff monitored = 0 entry_point = 0x7feff3b1010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2378 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2379 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 2380 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2381 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2382 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2383 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2384 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2385 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2386 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 2387 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 2388 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 2389 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 3450 start_va = 0xe20000 end_va = 0xe9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e20000" filename = "" Thread: id = 111 os_tid = 0xd84 Thread: id = 112 os_tid = 0xd80 Thread: id = 113 os_tid = 0xd7c [0151.427] DllCanUnloadNow () returned 0x1 [0276.187] DllCanUnloadNow () returned 0x1 Thread: id = 114 os_tid = 0xd78 Thread: id = 115 os_tid = 0xd74 [0094.689] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0097.044] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0097.188] SetLastError (dwErrCode=0x0) [0097.188] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xe5e308, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xe5e210 | out: pulNumLanguages=0xe5e308, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xe5e210) returned 1 [0097.188] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x8) returned 0x35da30 [0097.188] SetLastError (dwErrCode=0x0) [0097.188] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xe5e308, pwszLanguagesBuffer=0x35da30, pcchLanguagesBuffer=0xe5e210 | out: pulNumLanguages=0xe5e308, pwszLanguagesBuffer=0x35da30, pcchLanguagesBuffer=0xe5e210) returned 1 [0097.188] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x8) returned 0x35da90 [0097.188] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x35da30 | out: hHeap=0x320000) returned 1 [0097.188] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x14) returned 0x38f5f0 [0097.189] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x38f5f0, pulNumLanguages=0xe5e308 | out: pulNumLanguages=0xe5e308) returned 1 [0097.189] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x38f5f0 | out: hHeap=0x320000) returned 1 [0097.609] LoadStringW (in: hInstance=0x7fef1af0000, uID=0x3d, lpBuffer=0xe5d8d0, cchBufferMax=256 | out: lpBuffer="Computer System Product") returned 0x17 [0097.610] lstrlenW (lpString="C6100") returned 5 [0097.610] lstrlenW (lpString="A00") returned 3 [0097.611] lstrlenW (lpString="Dell") returned 4 [0097.611] lstrlenW (lpString="JP7XY4J") returned 7 [0097.611] _vsnwprintf (in: _Buffer=0xe5db90, _BufferCount=0x40, _Format="%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X", _ArgList=0xe5db28 | out: _Buffer="4C4C4544-0050-3710-8058-CAC04F59344A") returned 36 [0097.618] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x4) returned 0x35da30 [0097.618] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x35da30, pulNumLanguages=0xe5e300 | out: pulNumLanguages=0xe5e300) returned 1 [0097.618] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x35da30 | out: hHeap=0x320000) returned 1 [0099.529] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0099.742] SetLastError (dwErrCode=0x0) [0099.742] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xe5e308, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xe5e210 | out: pulNumLanguages=0xe5e308, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xe5e210) returned 1 [0099.743] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x8) returned 0x35da90 [0099.743] SetLastError (dwErrCode=0x0) [0099.743] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xe5e308, pwszLanguagesBuffer=0x35da90, pcchLanguagesBuffer=0xe5e210 | out: pulNumLanguages=0xe5e308, pwszLanguagesBuffer=0x35da90, pcchLanguagesBuffer=0xe5e210) returned 1 [0099.743] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x8) returned 0x35da30 [0099.743] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x35da90 | out: hHeap=0x320000) returned 1 [0099.743] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x14) returned 0x38f010 [0099.743] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x38f010, pulNumLanguages=0xe5e308 | out: pulNumLanguages=0xe5e308) returned 1 [0099.743] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x38f010 | out: hHeap=0x320000) returned 1 [0099.745] LoadStringW (in: hInstance=0x7fef1af0000, uID=0x3d, lpBuffer=0xe5d8d0, cchBufferMax=256 | out: lpBuffer="Computer System Product") returned 0x17 [0099.745] lstrlenW (lpString="C6100") returned 5 [0099.746] lstrlenW (lpString="A00") returned 3 [0099.747] lstrlenW (lpString="Dell") returned 4 [0099.747] lstrlenW (lpString="JP7XY4J") returned 7 [0099.747] _vsnwprintf (in: _Buffer=0xe5db90, _BufferCount=0x40, _Format="%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X", _ArgList=0xe5db28 | out: _Buffer="4C4C4544-0050-3710-8058-CAC04F59344A") returned 36 [0100.338] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x4) returned 0x35da90 [0100.338] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x35da90, pulNumLanguages=0xe5e300 | out: pulNumLanguages=0xe5e300) returned 1 [0100.338] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x35da90 | out: hHeap=0x320000) returned 1 [0100.761] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0105.129] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 Thread: id = 116 os_tid = 0xd70 [0097.185] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0105.447] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0107.548] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0107.866] SetLastError (dwErrCode=0x0) [0107.866] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdbe810 | out: pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdbe810) returned 1 [0107.866] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x8) returned 0x35da30 [0107.866] SetLastError (dwErrCode=0x0) [0107.866] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x35da30, pcchLanguagesBuffer=0xdbe810 | out: pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x35da30, pcchLanguagesBuffer=0xdbe810) returned 1 [0107.866] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x8) returned 0x35da90 [0107.866] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x35da30 | out: hHeap=0x320000) returned 1 [0107.866] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x14) returned 0x38f450 [0107.866] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x38f450, pulNumLanguages=0xdbe908 | out: pulNumLanguages=0xdbe908) returned 1 [0107.866] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x38f450 | out: hHeap=0x320000) returned 1 [0107.870] LoadStringW (in: hInstance=0x7fef1af0000, uID=0x3d, lpBuffer=0xdbded0, cchBufferMax=256 | out: lpBuffer="Computer System Product") returned 0x17 [0107.871] lstrlenW (lpString="C6100") returned 5 [0107.872] lstrlenW (lpString="A00") returned 3 [0107.872] lstrlenW (lpString="Dell") returned 4 [0107.872] lstrlenW (lpString="JP7XY4J") returned 7 [0107.872] _vsnwprintf (in: _Buffer=0xdbe190, _BufferCount=0x40, _Format="%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X", _ArgList=0xdbe128 | out: _Buffer="4C4C4544-0050-3710-8058-CAC04F59344A") returned 36 [0107.919] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x4) returned 0x35da30 [0107.919] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x35da30, pulNumLanguages=0xdbe900 | out: pulNumLanguages=0xdbe900) returned 1 [0107.919] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x35da30 | out: hHeap=0x320000) returned 1 [0111.262] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0113.117] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0113.293] SetLastError (dwErrCode=0x0) [0113.293] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdbe810 | out: pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdbe810) returned 1 [0113.294] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x8) returned 0x35da90 [0113.294] SetLastError (dwErrCode=0x0) [0113.294] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x35da90, pcchLanguagesBuffer=0xdbe810 | out: pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x35da90, pcchLanguagesBuffer=0xdbe810) returned 1 [0113.294] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x8) returned 0x35da30 [0113.294] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x35da90 | out: hHeap=0x320000) returned 1 [0113.294] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x14) returned 0x38f490 [0113.294] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x38f490, pulNumLanguages=0xdbe908 | out: pulNumLanguages=0xdbe908) returned 1 [0113.294] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x38f490 | out: hHeap=0x320000) returned 1 [0113.298] LoadStringW (in: hInstance=0x7fef1af0000, uID=0x3d, lpBuffer=0xdbded0, cchBufferMax=256 | out: lpBuffer="Computer System Product") returned 0x17 [0113.300] lstrlenW (lpString="C6100") returned 5 [0113.300] lstrlenW (lpString="A00") returned 3 [0113.300] lstrlenW (lpString="Dell") returned 4 [0113.301] lstrlenW (lpString="JP7XY4J") returned 7 [0113.301] _vsnwprintf (in: _Buffer=0xdbe190, _BufferCount=0x40, _Format="%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X", _ArgList=0xdbe128 | out: _Buffer="4C4C4544-0050-3710-8058-CAC04F59344A") returned 36 [0113.329] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x4) returned 0x35da90 [0113.329] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x35da90, pulNumLanguages=0xdbe900 | out: pulNumLanguages=0xdbe900) returned 1 [0113.329] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x35da90 | out: hHeap=0x320000) returned 1 [0121.792] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0122.853] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0122.912] SetLastError (dwErrCode=0x0) [0122.912] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdbe810 | out: pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdbe810) returned 1 [0122.912] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x8) returned 0x35da30 [0122.912] SetLastError (dwErrCode=0x0) [0122.912] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x35da30, pcchLanguagesBuffer=0xdbe810 | out: pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x35da30, pcchLanguagesBuffer=0xdbe810) returned 1 [0122.912] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x8) returned 0x35da90 [0122.912] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x35da30 | out: hHeap=0x320000) returned 1 [0122.912] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x14) returned 0x38f490 [0122.912] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x38f490, pulNumLanguages=0xdbe908 | out: pulNumLanguages=0xdbe908) returned 1 [0122.912] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x38f490 | out: hHeap=0x320000) returned 1 [0122.917] LoadStringW (in: hInstance=0x7fef1af0000, uID=0x3d, lpBuffer=0xdbded0, cchBufferMax=256 | out: lpBuffer="Computer System Product") returned 0x17 [0122.918] lstrlenW (lpString="C6100") returned 5 [0122.919] lstrlenW (lpString="A00") returned 3 [0122.919] lstrlenW (lpString="Dell") returned 4 [0122.919] lstrlenW (lpString="JP7XY4J") returned 7 [0122.920] _vsnwprintf (in: _Buffer=0xdbe190, _BufferCount=0x40, _Format="%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X", _ArgList=0xdbe128 | out: _Buffer="4C4C4544-0050-3710-8058-CAC04F59344A") returned 36 [0122.927] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x4) returned 0x35da30 [0122.927] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x35da30, pulNumLanguages=0xdbe900 | out: pulNumLanguages=0xdbe900) returned 1 [0122.927] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x35da30 | out: hHeap=0x320000) returned 1 [0126.454] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0127.309] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0127.397] SetLastError (dwErrCode=0x0) [0127.397] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdbe810 | out: pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdbe810) returned 1 [0127.397] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x8) returned 0x35da90 [0127.397] SetLastError (dwErrCode=0x0) [0127.397] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x35da90, pcchLanguagesBuffer=0xdbe810 | out: pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x35da90, pcchLanguagesBuffer=0xdbe810) returned 1 [0127.397] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x8) returned 0x35da30 [0127.397] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x35da90 | out: hHeap=0x320000) returned 1 [0127.397] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x14) returned 0x38f490 [0127.397] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x38f490, pulNumLanguages=0xdbe908 | out: pulNumLanguages=0xdbe908) returned 1 [0127.398] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x38f490 | out: hHeap=0x320000) returned 1 [0127.403] LoadStringW (in: hInstance=0x7fef1af0000, uID=0x3d, lpBuffer=0xdbded0, cchBufferMax=256 | out: lpBuffer="Computer System Product") returned 0x17 [0127.404] lstrlenW (lpString="C6100") returned 5 [0127.404] lstrlenW (lpString="A00") returned 3 [0127.405] lstrlenW (lpString="Dell") returned 4 [0127.405] lstrlenW (lpString="JP7XY4J") returned 7 [0127.405] _vsnwprintf (in: _Buffer=0xdbe190, _BufferCount=0x40, _Format="%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X", _ArgList=0xdbe128 | out: _Buffer="4C4C4544-0050-3710-8058-CAC04F59344A") returned 36 [0127.413] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x4) returned 0x35da90 [0127.413] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x35da90, pulNumLanguages=0xdbe900 | out: pulNumLanguages=0xdbe900) returned 1 [0127.413] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x35da90 | out: hHeap=0x320000) returned 1 [0133.767] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0134.209] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0134.262] SetLastError (dwErrCode=0x0) [0134.262] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdbe810 | out: pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdbe810) returned 1 [0134.262] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x8) returned 0x35da30 [0134.262] SetLastError (dwErrCode=0x0) [0134.262] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x35da30, pcchLanguagesBuffer=0xdbe810 | out: pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x35da30, pcchLanguagesBuffer=0xdbe810) returned 1 [0134.262] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x8) returned 0x35da90 [0134.262] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x35da30 | out: hHeap=0x320000) returned 1 [0134.262] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x14) returned 0x38f490 [0134.262] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x38f490, pulNumLanguages=0xdbe908 | out: pulNumLanguages=0xdbe908) returned 1 [0134.262] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x38f490 | out: hHeap=0x320000) returned 1 [0134.268] LoadStringW (in: hInstance=0x7fef1af0000, uID=0x3d, lpBuffer=0xdbded0, cchBufferMax=256 | out: lpBuffer="Computer System Product") returned 0x17 [0134.269] lstrlenW (lpString="C6100") returned 5 [0134.275] lstrlenW (lpString="A00") returned 3 [0134.276] lstrlenW (lpString="Dell") returned 4 [0134.276] lstrlenW (lpString="JP7XY4J") returned 7 [0134.276] _vsnwprintf (in: _Buffer=0xdbe190, _BufferCount=0x40, _Format="%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X", _ArgList=0xdbe128 | out: _Buffer="4C4C4544-0050-3710-8058-CAC04F59344A") returned 36 [0134.286] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x4) returned 0x35da30 [0134.286] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x35da30, pulNumLanguages=0xdbe900 | out: pulNumLanguages=0xdbe900) returned 1 [0134.286] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x35da30 | out: hHeap=0x320000) returned 1 [0138.895] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0138.985] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0138.995] SetLastError (dwErrCode=0x0) [0138.995] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdbe810 | out: pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdbe810) returned 1 [0138.995] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x8) returned 0x35da90 [0138.995] SetLastError (dwErrCode=0x0) [0138.995] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x35da90, pcchLanguagesBuffer=0xdbe810 | out: pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x35da90, pcchLanguagesBuffer=0xdbe810) returned 1 [0138.995] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x8) returned 0x35da30 [0138.995] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x35da90 | out: hHeap=0x320000) returned 1 [0138.995] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x14) returned 0x38f490 [0138.995] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x38f490, pulNumLanguages=0xdbe908 | out: pulNumLanguages=0xdbe908) returned 1 [0138.995] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x38f490 | out: hHeap=0x320000) returned 1 [0139.000] LoadStringW (in: hInstance=0x7fef1af0000, uID=0x3d, lpBuffer=0xdbded0, cchBufferMax=256 | out: lpBuffer="Computer System Product") returned 0x17 [0139.001] lstrlenW (lpString="C6100") returned 5 [0139.002] lstrlenW (lpString="A00") returned 3 [0139.002] lstrlenW (lpString="Dell") returned 4 [0139.002] lstrlenW (lpString="JP7XY4J") returned 7 [0139.003] _vsnwprintf (in: _Buffer=0xdbe190, _BufferCount=0x40, _Format="%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X", _ArgList=0xdbe128 | out: _Buffer="4C4C4544-0050-3710-8058-CAC04F59344A") returned 36 [0139.011] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x4) returned 0x35da90 [0139.011] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x35da90, pulNumLanguages=0xdbe900 | out: pulNumLanguages=0xdbe900) returned 1 [0139.011] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x35da90 | out: hHeap=0x320000) returned 1 [0151.244] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0151.430] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0151.438] SetLastError (dwErrCode=0x0) [0151.438] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdbe810 | out: pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdbe810) returned 1 [0151.439] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x8) returned 0x35da80 [0151.439] SetLastError (dwErrCode=0x0) [0151.439] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x35da80, pcchLanguagesBuffer=0xdbe810 | out: pulNumLanguages=0xdbe908, pwszLanguagesBuffer=0x35da80, pcchLanguagesBuffer=0xdbe810) returned 1 [0151.439] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x8) returned 0x35da30 [0151.439] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x35da80 | out: hHeap=0x320000) returned 1 [0151.439] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x14) returned 0x38f510 [0151.439] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x38f510, pulNumLanguages=0xdbe908 | out: pulNumLanguages=0xdbe908) returned 1 [0151.439] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x38f510 | out: hHeap=0x320000) returned 1 [0151.445] LoadStringW (in: hInstance=0x7fef1af0000, uID=0x3d, lpBuffer=0xdbded0, cchBufferMax=256 | out: lpBuffer="Computer System Product") returned 0x17 [0151.446] lstrlenW (lpString="C6100") returned 5 [0151.446] lstrlenW (lpString="A00") returned 3 [0151.447] lstrlenW (lpString="Dell") returned 4 [0151.447] lstrlenW (lpString="JP7XY4J") returned 7 [0151.447] _vsnwprintf (in: _Buffer=0xdbe190, _BufferCount=0x40, _Format="%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X", _ArgList=0xdbe128 | out: _Buffer="4C4C4544-0050-3710-8058-CAC04F59344A") returned 36 [0151.454] RtlAllocateHeap (HeapHandle=0x320000, Flags=0x0, Size=0x4) returned 0x35da80 [0151.454] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x35da80, pulNumLanguages=0xdbe900 | out: pulNumLanguages=0xdbe900) returned 1 [0151.454] HeapFree (in: hHeap=0x320000, dwFlags=0x0, lpMem=0x35da80 | out: hHeap=0x320000) returned 1 Thread: id = 117 os_tid = 0xd6c Thread: id = 118 os_tid = 0xd68 Thread: id = 119 os_tid = 0xd64 Thread: id = 208 os_tid = 0xe44 Process: id = "32" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x59447000" os_pid = "0x748" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "30" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0000d9b2" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 2090 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2091 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2092 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2093 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2094 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2095 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 2096 start_va = 0xd0000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2097 start_va = 0x150000 end_va = 0x154fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 2098 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 2099 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 2100 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 2101 start_va = 0x1e0000 end_va = 0x2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 2102 start_va = 0x2e0000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 2103 start_va = 0x440000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 2104 start_va = 0x450000 end_va = 0x5d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 2105 start_va = 0x5e0000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 2106 start_va = 0x770000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 2107 start_va = 0x830000 end_va = 0xafefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2108 start_va = 0xb40000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 2109 start_va = 0xc30000 end_va = 0xcaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 2110 start_va = 0xcb0000 end_va = 0xd2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 2111 start_va = 0xd30000 end_va = 0xdaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 2112 start_va = 0xdb0000 end_va = 0xeaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 2113 start_va = 0xee0000 end_va = 0xf5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 2114 start_va = 0xf60000 end_va = 0xfdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 2115 start_va = 0x1030000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 2116 start_va = 0x1110000 end_va = 0x118ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001110000" filename = "" Region: id = 2117 start_va = 0x12c0000 end_va = 0x133ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 2118 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2119 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2120 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2121 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2122 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2123 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2124 start_va = 0x13fd40000 end_va = 0x13fdabfff monitored = 0 entry_point = 0x13fd7b450 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 2125 start_va = 0x7fef1a50000 end_va = 0x7fef1a9dfff monitored = 0 entry_point = 0x7fef1a51198 region_type = mapped_file name = "pdh.dll" filename = "\\Windows\\System32\\pdh.dll" (normalized: "c:\\windows\\system32\\pdh.dll") Region: id = 2126 start_va = 0x7fef1aa0000 end_va = 0x7fef1ac4fff monitored = 1 entry_point = 0x7fef1ab8d6c region_type = mapped_file name = "wmiperfclass.dll" filename = "\\Windows\\System32\\wbem\\WmiPerfClass.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiperfclass.dll") Region: id = 2127 start_va = 0x7fef32b0000 end_va = 0x7fef3335fff monitored = 1 entry_point = 0x7fef32bffd0 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2128 start_va = 0x7fef6430000 end_va = 0x7fef646bfff monitored = 1 entry_point = 0x7fef6455aa8 region_type = mapped_file name = "wmiprov.dll" filename = "\\Windows\\System32\\wbem\\wmiprov.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprov.dll") Region: id = 2129 start_va = 0x7fef8f60000 end_va = 0x7fef8f71fff monitored = 0 entry_point = 0x7fef8f689d0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 2130 start_va = 0x7fef9120000 end_va = 0x7fef9140fff monitored = 0 entry_point = 0x7fef91303b0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 2131 start_va = 0x7fef9240000 end_va = 0x7fef9252fff monitored = 0 entry_point = 0x7fef9241d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2132 start_va = 0x7fef9520000 end_va = 0x7fef952dfff monitored = 0 entry_point = 0x7fef9525500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2133 start_va = 0x7fef9530000 end_va = 0x7fef9556fff monitored = 0 entry_point = 0x7fef95311a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 2134 start_va = 0x7fef9560000 end_va = 0x7fef9632fff monitored = 0 entry_point = 0x7fef95d8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2135 start_va = 0x7fef97c0000 end_va = 0x7fef9836fff monitored = 1 entry_point = 0x7fef97fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 2136 start_va = 0x7fefb250000 end_va = 0x7fefb27cfff monitored = 0 entry_point = 0x7fefb251010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2137 start_va = 0x7fefc7c0000 end_va = 0x7fefc806fff monitored = 0 entry_point = 0x7fefc7c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2138 start_va = 0x7fefcac0000 end_va = 0x7fefcad7fff monitored = 0 entry_point = 0x7fefcac3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2139 start_va = 0x7fefcc30000 end_va = 0x7fefcc51fff monitored = 0 entry_point = 0x7fefcc35d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2140 start_va = 0x7fefccf0000 end_va = 0x7fefcd5cfff monitored = 0 entry_point = 0x7fefccf1010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 2141 start_va = 0x7fefd0c0000 end_va = 0x7fefd0cefff monitored = 0 entry_point = 0x7fefd0c1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2142 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c3fff monitored = 0 entry_point = 0x7fefd1b10e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2143 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2144 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2145 start_va = 0x7fefd6d0000 end_va = 0x7fefd721fff monitored = 0 entry_point = 0x7fefd6d10d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2146 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2147 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2148 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2149 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2150 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2151 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2152 start_va = 0x7fefed70000 end_va = 0x7fefed77fff monitored = 0 entry_point = 0x7fefed71504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2153 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2154 start_va = 0x7feff060000 end_va = 0x7feff13afff monitored = 0 entry_point = 0x7feff080760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2155 start_va = 0x7feff140000 end_va = 0x7feff1d8fff monitored = 0 entry_point = 0x7feff141c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2156 start_va = 0x7feff1e0000 end_va = 0x7feff1fefff monitored = 0 entry_point = 0x7feff1e60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2157 start_va = 0x7feff280000 end_va = 0x7feff2ccfff monitored = 0 entry_point = 0x7feff281070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2158 start_va = 0x7feff2d0000 end_va = 0x7feff3a6fff monitored = 0 entry_point = 0x7feff2d3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2159 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2160 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2161 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2162 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2163 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2164 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2165 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2166 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 2167 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 2168 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2169 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3453 start_va = 0x1230000 end_va = 0x12affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001230000" filename = "" Thread: id = 120 os_tid = 0x64c Thread: id = 121 os_tid = 0x514 [0156.690] DllCanUnloadNow () returned 0x1 [0156.690] DllCanUnloadNow () returned 0x1 [0281.368] DllCanUnloadNow () returned 0x1 [0281.368] DllCanUnloadNow () returned 0x1 Thread: id = 122 os_tid = 0x4ec Thread: id = 123 os_tid = 0x434 Thread: id = 124 os_tid = 0x43c Thread: id = 125 os_tid = 0x438 Thread: id = 126 os_tid = 0x730 Thread: id = 127 os_tid = 0x428 Thread: id = 163 os_tid = 0xe80 Process: id = "33" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x3dd25000" os_pid = "0xb80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"127.0.0.1\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2172 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2173 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2174 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2175 start_va = 0x150000 end_va = 0x24ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2176 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2177 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2178 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2179 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 2180 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2181 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2182 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 2183 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 2186 start_va = 0x250000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 2187 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2188 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2189 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2190 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2191 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2192 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2193 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2194 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2195 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2196 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2197 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2228 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2229 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2230 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2231 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2232 start_va = 0xc0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 2233 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2277 start_va = 0xe0000 end_va = 0x108fff monitored = 0 entry_point = 0xe1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2278 start_va = 0x500000 end_va = 0x687fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 2279 start_va = 0xe0000 end_va = 0x108fff monitored = 0 entry_point = 0xe1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2280 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2281 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2498 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2499 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 2500 start_va = 0xd0000 end_va = 0xdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2501 start_va = 0x690000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 2502 start_va = 0x820000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 2505 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 2506 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 2507 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2517 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 2518 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Thread: id = 130 os_tid = 0x788 [0103.106] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fb18 | out: lpSystemTimeAsFileTime=0x24fb18*(dwLowDateTime=0x32bae900, dwHighDateTime=0x1d937fd)) [0103.106] GetCurrentThreadId () returned 0x788 [0103.106] GetCurrentProcessId () returned 0xb80 [0103.106] QueryPerformanceCounter (in: lpPerformanceCount=0x24fb20 | out: lpPerformanceCount=0x24fb20*=3323738940274) returned 1 [0103.107] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0103.109] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0103.109] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0103.109] GetLastError () returned 0x7e [0103.109] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0103.109] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0103.110] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0103.110] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0103.110] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0103.111] GetProcessHeap () returned 0x300000 [0103.111] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0103.111] GetLastError () returned 0x7e [0103.111] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0103.111] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0103.111] GetLastError () returned 0x7e [0103.111] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0103.111] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0103.111] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c8) returned 0x31cfa0 [0103.112] SetLastError (dwErrCode=0x7e) [0103.112] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1200) returned 0x31d370 [0103.113] GetStartupInfoW (in: lpStartupInfo=0x24f9f0 | out: lpStartupInfo=0x24f9f0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x24fa78, hStdError=0x1)) [0103.114] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0103.114] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0103.114] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0103.114] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"127.0.0.1\"" [0103.114] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"127.0.0.1\"" [0103.114] GetACP () returned 0x4e4 [0103.114] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x228) returned 0x31ab80 [0103.114] IsValidCodePage (CodePage=0x4e4) returned 1 [0103.114] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x24f9b0 | out: lpCPInfo=0x24f9b0) returned 1 [0103.114] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x24f250 | out: lpCPInfo=0x24f250) returned 1 [0103.114] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x24f270, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0103.114] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x24f270, cbMultiByte=256, lpWideCharStr=0x24efa0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0103.114] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x24f570 | out: lpCharType=0x24f570) returned 1 [0103.115] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x24f270, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0103.115] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x24f270, cbMultiByte=256, lpWideCharStr=0x24ef40, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0103.115] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0103.115] GetLastError () returned 0x7e [0103.115] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0103.115] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0103.116] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x24ed30, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0103.116] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x24f370, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x80«1", lpUsedDefaultChar=0x0) returned 256 [0103.116] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x24f270, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0103.116] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x24f270, cbMultiByte=256, lpWideCharStr=0x24ef40, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0103.116] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0103.116] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x24ed30, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0103.116] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x24f470, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0103.116] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x100) returned 0x31f580 [0103.116] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0103.116] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x18c) returned 0x31f690 [0103.116] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0103.116] GetLastError () returned 0x0 [0103.116] SetLastError (dwErrCode=0x0) [0103.117] GetEnvironmentStringsW () returned 0x31f830* [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xb32) returned 0x320370 [0103.117] FreeEnvironmentStringsW (penv=0x31f830) returned 1 [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x128) returned 0x31f830 [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3e) returned 0x31afd0 [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x56) returned 0x31adb0 [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x62) returned 0x320eb0 [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x78) returned 0x320f20 [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x62) returned 0x31f960 [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x31e8f0 [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x48) returned 0x31b020 [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x28) returned 0x317990 [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1a) returned 0x3179c0 [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x34) returned 0x31e930 [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x5c) returned 0x31f9d0 [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x32) returned 0x31e970 [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2e) returned 0x31e9b0 [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1c) returned 0x3179f0 [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x19c) returned 0x31fa40 [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x7c) returned 0x31fbf0 [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3a) returned 0x31b070 [0103.117] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x90) returned 0x31fc80 [0103.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x24) returned 0x317a20 [0103.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x31e9f0 [0103.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x36) returned 0x31ea30 [0103.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c) returned 0x31b0c0 [0103.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x52) returned 0x31fd20 [0103.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c) returned 0x31b110 [0103.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xd6) returned 0x31fd80 [0103.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2e) returned 0x31ea70 [0103.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1e) returned 0x317a50 [0103.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2c) returned 0x31eab0 [0103.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x54) returned 0x31fe60 [0103.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x52) returned 0x31fec0 [0103.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2c) returned 0x31eaf0 [0103.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x26) returned 0x317a80 [0103.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3e) returned 0x31b160 [0103.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x24) returned 0x317ab0 [0103.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x31eb30 [0103.118] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x8c) returned 0x31ff20 [0103.119] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x320370 | out: hHeap=0x300000) returned 1 [0103.119] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1000) returned 0x320fa0 [0103.119] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0103.119] GetStartupInfoW (in: lpStartupInfo=0x24fa80 | out: lpStartupInfo=0x24fa80*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0103.119] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"127.0.0.1\"" [0103.119] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"127.0.0.1\"", pNumArgs=0x24fa50 | out: pNumArgs=0x24fa50) returned 0x320440*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0103.120] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0103.125] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x1000) returned 0x324090 [0103.125] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x10) returned 0x320e70 [0103.125] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="LKKIJ77", cchWideChar=-1, lpMultiByteStr=0x320e70, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LKKIJ77", lpUsedDefaultChar=0x0) returned 8 [0103.126] GetLastError () returned 0x0 [0103.126] SetLastError (dwErrCode=0x0) [0103.126] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77W") returned 0x0 [0103.126] GetLastError () returned 0x7f [0103.126] SetLastError (dwErrCode=0x7f) [0103.126] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77A") returned 0x0 [0103.126] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77") returned 0x7fef2ea6420 [0103.126] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x14) returned 0x320e90 [0103.127] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="127.0.0.1", cchWideChar=-1, lpMultiByteStr=0x320e90, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="127.0.0.1", lpUsedDefaultChar=0x0) returned 10 [0103.127] GetActiveWindow () returned 0x0 [0103.862] GetLastError () returned 0x7f [0103.862] SetLastError (dwErrCode=0x7f) Process: id = "34" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x3b831000" os_pid = "0xf2c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"127.0.0.1\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2198 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2199 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2200 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2201 start_va = 0x70000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 2202 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2203 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2204 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2205 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 2206 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2207 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2208 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2209 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2210 start_va = 0x170000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2211 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2212 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2213 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2214 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2215 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2216 start_va = 0x170000 end_va = 0x1d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2217 start_va = 0x210000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 2218 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2219 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2220 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2221 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2222 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2234 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2235 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2236 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2237 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2238 start_va = 0x310000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 2239 start_va = 0x310000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 2240 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 2268 start_va = 0x1e0000 end_va = 0x208fff monitored = 0 entry_point = 0x1e1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2269 start_va = 0x470000 end_va = 0x5f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 2270 start_va = 0x1e0000 end_va = 0x208fff monitored = 0 entry_point = 0x1e1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2271 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2272 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2273 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2274 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2275 start_va = 0x600000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 2276 start_va = 0x790000 end_va = 0x1b8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 2391 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 2392 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 2393 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2397 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2398 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Thread: id = 132 os_tid = 0xf9c [0094.794] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fb78 | out: lpSystemTimeAsFileTime=0x16fb78*(dwLowDateTime=0x2e728150, dwHighDateTime=0x1d937fd)) [0094.795] GetCurrentThreadId () returned 0xf9c [0094.795] GetCurrentProcessId () returned 0xf2c [0094.795] QueryPerformanceCounter (in: lpPerformanceCount=0x16fb80 | out: lpPerformanceCount=0x16fb80*=3322907780019) returned 1 [0094.795] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0094.798] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0094.798] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0094.798] GetLastError () returned 0x7e [0094.798] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0094.798] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0094.799] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0094.799] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0094.799] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0094.800] GetProcessHeap () returned 0x210000 [0094.800] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0094.800] GetLastError () returned 0x7e [0094.800] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0094.800] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0094.800] GetLastError () returned 0x7e [0094.800] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0094.800] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0094.801] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x3c8) returned 0x22cfb0 [0094.801] SetLastError (dwErrCode=0x7e) [0094.801] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x1200) returned 0x22d380 [0094.803] GetStartupInfoW (in: lpStartupInfo=0x16fa50 | out: lpStartupInfo=0x16fa50*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x16fad8, hStdError=0x1)) [0094.803] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0094.803] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0094.803] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0094.803] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"127.0.0.1\"" [0094.803] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"127.0.0.1\"" [0094.803] GetACP () returned 0x4e4 [0094.804] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x0, Size=0x228) returned 0x22ab90 [0094.804] IsValidCodePage (CodePage=0x4e4) returned 1 [0094.804] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x16fa10 | out: lpCPInfo=0x16fa10) returned 1 [0094.804] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x16f2b0 | out: lpCPInfo=0x16f2b0) returned 1 [0094.804] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f2d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0094.804] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f2d0, cbMultiByte=256, lpWideCharStr=0x16f000, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0094.804] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x16f5d0 | out: lpCharType=0x16f5d0) returned 1 [0094.804] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f2d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0094.804] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f2d0, cbMultiByte=256, lpWideCharStr=0x16efa0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0094.804] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0094.805] GetLastError () returned 0x7e [0094.805] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0094.805] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0094.805] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x16ed90, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0094.805] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x16f3d0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«\"", lpUsedDefaultChar=0x0) returned 256 [0094.805] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f2d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0094.805] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f2d0, cbMultiByte=256, lpWideCharStr=0x16efa0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0094.805] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0094.805] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x16ed90, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0094.806] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x16f4d0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0094.806] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x0, Size=0x100) returned 0x22f590 [0094.806] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0094.806] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x192) returned 0x22f6a0 [0094.806] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0094.806] GetLastError () returned 0x0 [0094.806] SetLastError (dwErrCode=0x0) [0094.806] GetEnvironmentStringsW () returned 0x22f840* [0094.806] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x0, Size=0xb32) returned 0x230380 [0094.806] FreeEnvironmentStringsW (penv=0x22f840) returned 1 [0094.806] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x128) returned 0x22f840 [0094.806] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x3e) returned 0x22afe0 [0094.806] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x56) returned 0x22adc0 [0094.806] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x62) returned 0x230ec0 [0094.806] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x78) returned 0x230f30 [0094.806] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x62) returned 0x22f970 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x30) returned 0x22e900 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x48) returned 0x22b030 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x28) returned 0x2279a0 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x1a) returned 0x2279d0 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x34) returned 0x22e940 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x5c) returned 0x22f9e0 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x32) returned 0x22e980 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x2e) returned 0x22e9c0 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x1c) returned 0x227a00 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x19c) returned 0x22fa50 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x7c) returned 0x22fc00 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x3a) returned 0x22b080 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x90) returned 0x22fc90 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x24) returned 0x227a30 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x30) returned 0x22ea00 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x36) returned 0x22ea40 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x3c) returned 0x22b0d0 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x52) returned 0x22fd30 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x3c) returned 0x22b120 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0xd6) returned 0x22fd90 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x2e) returned 0x22ea80 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x1e) returned 0x227a60 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x2c) returned 0x22eac0 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x54) returned 0x22fe70 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x52) returned 0x22fed0 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x2c) returned 0x22eb00 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x26) returned 0x227a90 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x3e) returned 0x22b170 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x24) returned 0x227ac0 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x30) returned 0x22eb40 [0094.807] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x8c) returned 0x22ff30 [0094.808] HeapFree (in: hHeap=0x210000, dwFlags=0x0, lpMem=0x230380 | out: hHeap=0x210000) returned 1 [0094.808] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x8, Size=0x1000) returned 0x230fb0 [0094.808] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0094.809] GetStartupInfoW (in: lpStartupInfo=0x16fae0 | out: lpStartupInfo=0x16fae0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0094.809] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"127.0.0.1\"" [0094.809] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"127.0.0.1\"", pNumArgs=0x16fab0 | out: pNumArgs=0x16fab0) returned 0x230450*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0094.809] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0094.817] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x0, Size=0x1000) returned 0x2340a0 [0094.817] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x0, Size=0x16) returned 0x230e80 [0094.817] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="MMlFUh3Tzt", cchWideChar=-1, lpMultiByteStr=0x230e80, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MMlFUh3Tzt", lpUsedDefaultChar=0x0) returned 11 [0094.817] GetLastError () returned 0x0 [0094.818] SetLastError (dwErrCode=0x0) [0095.057] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3TztW") returned 0x0 [0095.058] GetLastError () returned 0x7f [0095.058] SetLastError (dwErrCode=0x7f) [0095.058] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3TztA") returned 0x0 [0095.058] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3Tzt") returned 0x7fef2eb0cf0 [0095.058] RtlAllocateHeap (HeapHandle=0x210000, Flags=0x0, Size=0x14) returned 0x230ea0 [0095.058] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="127.0.0.1", cchWideChar=-1, lpMultiByteStr=0x230ea0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="127.0.0.1", lpUsedDefaultChar=0x0) returned 10 [0095.058] GetActiveWindow () returned 0x0 [0095.506] GetLastError () returned 0x7f [0095.506] SetLastError (dwErrCode=0x7f) Process: id = "35" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x3c43d000" os_pid = "0xbf8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"explorer.exe\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2417 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2418 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2419 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2420 start_va = 0x1f0000 end_va = 0x2effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2421 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2422 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2423 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2424 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 2425 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2426 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2427 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2428 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2429 start_va = 0x50000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2430 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2431 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2432 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2433 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2434 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2435 start_va = 0x2f0000 end_va = 0x356fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2436 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2437 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2438 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2439 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2440 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2441 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2442 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2443 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2444 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2445 start_va = 0x360000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 2446 start_va = 0x360000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 2447 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 2451 start_va = 0x50000 end_va = 0x78fff monitored = 0 entry_point = 0x51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2452 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2453 start_va = 0x530000 end_va = 0x6b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 2454 start_va = 0x50000 end_va = 0x78fff monitored = 0 entry_point = 0x51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2455 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2456 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2457 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2458 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2459 start_va = 0x6c0000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 2460 start_va = 0x850000 end_va = 0x1c4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 2463 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 2464 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 2465 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2842 start_va = 0x460000 end_va = 0x4ddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 2843 start_va = 0x1c50000 end_va = 0x1da7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c50000" filename = "" Region: id = 2844 start_va = 0x1db0000 end_va = 0x1f10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001db0000" filename = "" Region: id = 2845 start_va = 0x7fefd2c0000 end_va = 0x7fefd42cfff monitored = 0 entry_point = 0x7fefd2c10b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2846 start_va = 0x7fefd270000 end_va = 0x7fefd27efff monitored = 0 entry_point = 0x7fefd271020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2847 start_va = 0x7fefd060000 end_va = 0x7fefd06afff monitored = 0 entry_point = 0x7fefd061030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2848 start_va = 0x7fefd090000 end_va = 0x7fefd0b4fff monitored = 0 entry_point = 0x7fefd099658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2849 start_va = 0x7feff060000 end_va = 0x7feff13afff monitored = 0 entry_point = 0x7feff080760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2850 start_va = 0x7feff1e0000 end_va = 0x7feff1fefff monitored = 0 entry_point = 0x7feff1e60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2851 start_va = 0x7feff2d0000 end_va = 0x7feff3a6fff monitored = 0 entry_point = 0x7feff2d3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2852 start_va = 0x7fefabb0000 end_va = 0x7fefabc7fff monitored = 0 entry_point = 0x7fefabb1010 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2853 start_va = 0x7fefacc0000 end_va = 0x7feface6fff monitored = 0 entry_point = 0x7fefacc98bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2854 start_va = 0x7fefed70000 end_va = 0x7fefed77fff monitored = 0 entry_point = 0x7fefed71504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2855 start_va = 0x7fefacb0000 end_va = 0x7fefacbafff monitored = 0 entry_point = 0x7fefacb1198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2856 start_va = 0x7fefb550000 end_va = 0x7fefb560fff monitored = 0 entry_point = 0x7fefb551070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2857 start_va = 0x7feff280000 end_va = 0x7feff2ccfff monitored = 0 entry_point = 0x7feff281070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2858 start_va = 0x1f20000 end_va = 0x20bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f20000" filename = "" Region: id = 2861 start_va = 0x20c0000 end_va = 0x238efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2878 start_va = 0x24a0000 end_va = 0x259ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024a0000" filename = "" Region: id = 2879 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2888 start_va = 0x1f20000 end_va = 0x1f9cfff monitored = 0 entry_point = 0x1f2cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2889 start_va = 0x2040000 end_va = 0x20bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002040000" filename = "" Region: id = 2890 start_va = 0x1f20000 end_va = 0x1f9cfff monitored = 0 entry_point = 0x1f2cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2891 start_va = 0x7fefd0c0000 end_va = 0x7fefd0cefff monitored = 0 entry_point = 0x7fefd0c1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2929 start_va = 0x1f40000 end_va = 0x203ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f40000" filename = "" Region: id = 2930 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2931 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2932 start_va = 0x7feff140000 end_va = 0x7feff1d8fff monitored = 0 entry_point = 0x7feff141c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2933 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 2934 start_va = 0x7fef9520000 end_va = 0x7fef952dfff monitored = 0 entry_point = 0x7fef9525500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2935 start_va = 0x7fef97c0000 end_va = 0x7fef9836fff monitored = 0 entry_point = 0x7fef97fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 2936 start_va = 0x7fefcc30000 end_va = 0x7fefcc51fff monitored = 0 entry_point = 0x7fefcc35d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2937 start_va = 0x2640000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 2938 start_va = 0x7fefcac0000 end_va = 0x7fefcad7fff monitored = 0 entry_point = 0x7fefcac3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2939 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2940 start_va = 0x190000 end_va = 0x1d4fff monitored = 0 entry_point = 0x191064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2941 start_va = 0x190000 end_va = 0x1d4fff monitored = 0 entry_point = 0x191064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2942 start_va = 0x190000 end_va = 0x1d4fff monitored = 0 entry_point = 0x191064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2943 start_va = 0x190000 end_va = 0x1d4fff monitored = 0 entry_point = 0x191064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2944 start_va = 0x190000 end_va = 0x1d4fff monitored = 0 entry_point = 0x191064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2945 start_va = 0x7fefc7c0000 end_va = 0x7fefc806fff monitored = 0 entry_point = 0x7fefc7c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2946 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c3fff monitored = 0 entry_point = 0x7fefd1b10e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2951 start_va = 0x2780000 end_va = 0x287ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002780000" filename = "" Region: id = 2952 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2953 start_va = 0x29c0000 end_va = 0x2abffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029c0000" filename = "" Region: id = 2954 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2955 start_va = 0x7fef9240000 end_va = 0x7fef9252fff monitored = 0 entry_point = 0x7fef9241d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2956 start_va = 0x7fef9560000 end_va = 0x7fef9632fff monitored = 0 entry_point = 0x7fef95d8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2957 start_va = 0x7fef9530000 end_va = 0x7fef9556fff monitored = 0 entry_point = 0x7fef95311a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 2958 start_va = 0x190000 end_va = 0x192fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Thread: id = 143 os_tid = 0xddc [0100.308] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efd58 | out: lpSystemTimeAsFileTime=0x2efd58*(dwLowDateTime=0x31406e60, dwHighDateTime=0x1d937fd)) [0100.308] GetCurrentThreadId () returned 0xddc [0100.308] GetCurrentProcessId () returned 0xbf8 [0100.308] QueryPerformanceCounter (in: lpPerformanceCount=0x2efd60 | out: lpPerformanceCount=0x2efd60*=3323459137449) returned 1 [0100.309] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0100.312] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0100.313] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0100.313] GetLastError () returned 0x7e [0100.313] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0100.313] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0100.314] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0100.314] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0100.314] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0100.315] GetProcessHeap () returned 0x90000 [0100.315] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0100.315] GetLastError () returned 0x7e [0100.315] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0100.315] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0100.315] GetLastError () returned 0x7e [0100.315] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0100.315] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0100.316] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x3c8) returned 0xacfb0 [0100.316] SetLastError (dwErrCode=0x7e) [0100.316] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x1200) returned 0xad380 [0100.318] GetStartupInfoW (in: lpStartupInfo=0x2efc30 | out: lpStartupInfo=0x2efc30*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x2efcb8, hStdError=0x1)) [0100.318] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0100.318] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0100.318] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0100.318] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"explorer.exe\"" [0100.318] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"explorer.exe\"" [0100.318] GetACP () returned 0x4e4 [0100.318] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x228) returned 0xaab90 [0100.318] IsValidCodePage (CodePage=0x4e4) returned 1 [0100.318] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2efbf0 | out: lpCPInfo=0x2efbf0) returned 1 [0100.318] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2ef490 | out: lpCPInfo=0x2ef490) returned 1 [0100.318] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ef4b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0100.319] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ef4b0, cbMultiByte=256, lpWideCharStr=0x2ef1e0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0100.319] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x2ef7b0 | out: lpCharType=0x2ef7b0) returned 1 [0100.319] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ef4b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0100.319] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ef4b0, cbMultiByte=256, lpWideCharStr=0x2ef180, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0100.319] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0100.319] GetLastError () returned 0x7e [0100.319] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0100.319] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0100.320] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2eef70, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0100.320] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x2ef5b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«\n", lpUsedDefaultChar=0x0) returned 256 [0100.320] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ef4b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0100.320] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ef4b0, cbMultiByte=256, lpWideCharStr=0x2ef180, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0100.320] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0100.320] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2eef70, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0100.320] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x2ef6b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0100.320] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x100) returned 0xaf590 [0100.320] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0100.320] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x198) returned 0xaf6a0 [0100.320] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0100.320] GetLastError () returned 0x0 [0100.320] SetLastError (dwErrCode=0x0) [0100.320] GetEnvironmentStringsW () returned 0xaf840* [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0xb32) returned 0xb0380 [0100.321] FreeEnvironmentStringsW (penv=0xaf840) returned 1 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x128) returned 0xaf840 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x3e) returned 0xaafe0 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x56) returned 0xaadc0 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x62) returned 0xb0ec0 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x78) returned 0xb0f30 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x62) returned 0xaf970 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x30) returned 0xae900 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x48) returned 0xab030 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x28) returned 0xa79a0 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x1a) returned 0xa79d0 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x34) returned 0xae940 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x5c) returned 0xaf9e0 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x32) returned 0xae980 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x2e) returned 0xae9c0 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x1c) returned 0xa7a00 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x19c) returned 0xafa50 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x7c) returned 0xafc00 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x3a) returned 0xab080 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x90) returned 0xafc90 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x24) returned 0xa7a30 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x30) returned 0xaea00 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x36) returned 0xaea40 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x3c) returned 0xab0d0 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x52) returned 0xafd30 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x3c) returned 0xab120 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0xd6) returned 0xafd90 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x2e) returned 0xaea80 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x1e) returned 0xa7a60 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x2c) returned 0xaeac0 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x54) returned 0xafe70 [0100.321] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x52) returned 0xafed0 [0100.322] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x2c) returned 0xaeb00 [0100.322] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x26) returned 0xa7a90 [0100.322] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x3e) returned 0xab170 [0100.322] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x24) returned 0xa7ac0 [0100.322] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x30) returned 0xaeb40 [0100.322] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x8c) returned 0xaff30 [0100.322] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb0380 | out: hHeap=0x90000) returned 1 [0100.322] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x1000) returned 0xb0fb0 [0100.322] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0100.323] GetStartupInfoW (in: lpStartupInfo=0x2efcc0 | out: lpStartupInfo=0x2efcc0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0100.323] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"explorer.exe\"" [0100.323] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"explorer.exe\"", pNumArgs=0x2efc90 | out: pNumArgs=0x2efc90) returned 0xb0450*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0100.323] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0100.331] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x1000) returned 0xb40a0 [0100.332] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x16) returned 0xb0e80 [0100.332] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Cpurthnvlc", cchWideChar=-1, lpMultiByteStr=0xb0e80, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Cpurthnvlc", lpUsedDefaultChar=0x0) returned 11 [0100.332] GetLastError () returned 0x0 [0100.332] SetLastError (dwErrCode=0x0) [0100.332] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="CpurthnvlcW") returned 0x0 [0100.332] GetLastError () returned 0x7f [0100.332] SetLastError (dwErrCode=0x7f) [0100.332] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="CpurthnvlcA") returned 0x0 [0100.332] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="Cpurthnvlc") returned 0x7fef2ea5970 [0100.332] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x1a) returned 0xa7b50 [0100.332] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=-1, lpMultiByteStr=0xa7b50, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exe", lpUsedDefaultChar=0x0) returned 13 [0100.333] GetActiveWindow () returned 0x0 [0123.073] VirtualAlloc (lpAddress=0x0, dwSize=0x7e000, flAllocationType=0x3000, flProtect=0x40) returned 0x460000 [0123.231] GetProcAddress (hModule=0x77160000, lpProcName="ExitProcess") returned 0x772a40f0 [0123.232] GetProcAddress (hModule=0x77160000, lpProcName="LoadLibraryW") returned 0x77176420 [0123.232] LoadLibraryW (lpLibFileName="ntdll.dll") returned 0x77280000 [0123.232] GetProcAddress (hModule=0x77280000, lpProcName="NtMapViewOfSection") returned 0x772d1590 [0123.232] GetProcAddress (hModule=0x77280000, lpProcName="NtOpenFile") returned 0x772d1640 [0123.232] GetProcAddress (hModule=0x77280000, lpProcName="NtOpenSection") returned 0x772d1680 [0123.232] GetProcAddress (hModule=0x77280000, lpProcName="NtCreateSection") returned 0x772d17b0 [0123.232] GetProcAddress (hModule=0x77160000, lpProcName="VirtualProtect") returned 0x771629f0 [0123.232] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentThreadId") returned 0x77173380 [0123.232] GetProcAddress (hModule=0x77160000, lpProcName="GetModuleFileNameA") returned 0x77175940 [0123.232] GetProcAddress (hModule=0x77160000, lpProcName="VirtualAlloc") returned 0x77175c40 [0123.232] GetProcAddress (hModule=0x77160000, lpProcName="GetProcessHeap") returned 0x77181a30 [0123.233] GetProcAddress (hModule=0x77160000, lpProcName="HeapAlloc") returned 0x772d33a0 [0123.233] GetProcAddress (hModule=0x77160000, lpProcName="HeapFree") returned 0x77181a50 [0123.233] GetModuleFileNameA (in: hModule=0x7fef2ea0000, lpFilename=0x2ef990, nSize=0x104 | out: lpFilename="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll")) returned 0x62 [0123.233] VirtualAlloc (lpAddress=0x0, dwSize=0x158000, flAllocationType=0x3000, flProtect=0x4) returned 0x1c50000 [0123.326] GetProcessHeap () returned 0x90000 [0123.326] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x3f80) returned 0xb50b0 [0123.522] GetProcessHeap () returned 0x90000 [0123.523] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb50b0 | out: hHeap=0x90000) returned 1 [0123.524] GetCurrentThreadId () returned 0xddc [0123.524] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2ef854 | out: lpflOldProtect=0x2ef854*=0x20) returned 1 [0123.526] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2ef854 | out: lpflOldProtect=0x2ef854*=0x40) returned 1 [0123.526] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2ef854 | out: lpflOldProtect=0x2ef854*=0x20) returned 1 [0123.526] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2ef854 | out: lpflOldProtect=0x2ef854*=0x40) returned 1 [0123.526] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2ef854 | out: lpflOldProtect=0x2ef854*=0x20) returned 1 [0123.527] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2ef854 | out: lpflOldProtect=0x2ef854*=0x40) returned 1 [0123.527] LoadLibraryW (lpLibFileName="gdiplus.dll") returned 0x1db0000 [0123.528] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2ee6c4 | out: lpflOldProtect=0x2ee6c4*=0x20) returned 1 [0123.529] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2ee6c4 | out: lpflOldProtect=0x2ee6c4*=0x40) returned 1 [0123.529] NtOpenFile (in: FileHandle=0x2ee7a8, DesiredAccess=0x100020, ObjectAttributes=0x2ee7f8*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x2ee828, ShareAccess=0x3, OpenOptions=0x21 | out: FileHandle=0x2ee7a8*=0x70, IoStatusBlock=0x2ee828*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0123.766] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2ee6c4 | out: lpflOldProtect=0x2ee6c4*=0x20) returned 1 [0123.767] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2ee6c4 | out: lpflOldProtect=0x2ee6c4*=0x40) returned 1 [0123.767] GetCurrentThreadId () returned 0xddc [0123.767] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2ef394 | out: lpflOldProtect=0x2ef394*=0x20) returned 1 [0123.768] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2ef394 | out: lpflOldProtect=0x2ef394*=0x40) returned 1 [0123.768] NtOpenFile (in: FileHandle=0x2ef460, DesiredAccess=0x100021, ObjectAttributes=0x2ef518*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x2ef548, ShareAccess=0x5, OpenOptions=0x60 | out: FileHandle=0x2ef460*=0x74, IoStatusBlock=0x2ef548*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0123.768] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2ef384 | out: lpflOldProtect=0x2ef384*=0x20) returned 1 [0123.769] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2ef384 | out: lpflOldProtect=0x2ef384*=0x40) returned 1 [0123.769] GetCurrentThreadId () returned 0xddc [0123.769] NtCreateSection (in: SectionHandle=0x2ef468, DesiredAccess=0xf, ObjectAttributes=0x0, MaximumSize=0x0, SectionPageProtection=0x10, AllocationAttributes=0x1000000, FileHandle=0x74 | out: SectionHandle=0x2ef468*=0x78) returned 0x0 [0123.769] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x2ef214 | out: lpflOldProtect=0x2ef214*=0x20) returned 1 [0123.769] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x2ef214 | out: lpflOldProtect=0x2ef214*=0x40) returned 1 [0123.770] GetCurrentThreadId () returned 0xddc [0123.770] NtCreateSection (in: SectionHandle=0x2ef2f8, DesiredAccess=0xe, ObjectAttributes=0x0, MaximumSize=0x2ef2f0, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x2ef2f8*=0x7c) returned 0x0 [0123.770] NtMapViewOfSection (in: SectionHandle=0x7c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x2ef298*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x2ef4b8*=0x0, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x2ef298*=0x1db0000, SectionOffset=0x0, ViewSize=0x2ef4b8*=0x161000) returned 0x0 [0124.021] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ef398 | out: lpSystemTimeAsFileTime=0x2ef398*(dwLowDateTime=0x3de54f00, dwHighDateTime=0x1d937fd)) [0124.021] GetCurrentThreadId () returned 0xddc [0124.021] GetCurrentProcessId () returned 0xbf8 [0124.021] QueryPerformanceCounter (in: lpPerformanceCount=0x2ef3a0 | out: lpPerformanceCount=0x2ef3a0*=3327378553994) returned 1 [0124.148] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0124.148] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0124.148] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0124.148] GetLastError () returned 0x7e [0124.149] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0124.149] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0124.218] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0124.537] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0124.538] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0124.552] GetProcessHeap () returned 0x90000 [0124.614] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0124.615] GetLastError () returned 0x7e [0124.615] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0124.615] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0124.615] GetLastError () returned 0x7e [0124.615] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0124.628] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x3c8) returned 0xc1a80 [0124.628] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0124.641] SetLastError (dwErrCode=0x7e) [0124.653] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x1000) returned 0xc1e50 [0124.655] GetStartupInfoW (in: lpStartupInfo=0x2ef220 | out: lpStartupInfo=0x2ef220*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x1)) [0124.655] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0124.655] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0124.655] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0124.667] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"explorer.exe\"" [0124.667] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"explorer.exe\"" [0124.680] GetLastError () returned 0x7e [0124.680] SetLastError (dwErrCode=0x7e) [0124.680] GetLastError () returned 0x7e [0124.680] SetLastError (dwErrCode=0x7e) [0124.680] GetACP () returned 0x4e4 [0124.680] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x228) returned 0xc3e60 [0124.680] IsValidCodePage (CodePage=0x4e4) returned 1 [0124.680] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2ef1f0 | out: lpCPInfo=0x2ef1f0) returned 1 [0124.693] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2eea90 | out: lpCPInfo=0x2eea90) returned 1 [0124.693] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2eeab0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0124.693] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2eeab0, cbMultiByte=256, lpWideCharStr=0x2ee7e0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ\x09") returned 256 [0124.693] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ\x09", cchSrc=256, lpCharType=0x2eedb0 | out: lpCharType=0x2eedb0) returned 1 [0124.705] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2eeab0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0124.705] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2eeab0, cbMultiByte=256, lpWideCharStr=0x2ee780, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0124.705] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0124.705] GetLastError () returned 0x7e [0124.705] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0124.705] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0124.705] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2ee570, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0124.706] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x2eebb0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x0e\x0b", lpUsedDefaultChar=0x0) returned 256 [0124.706] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2eeab0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0124.706] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2eeab0, cbMultiByte=256, lpWideCharStr=0x2ee780, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0124.706] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0124.706] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2ee570, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0124.706] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x2eecb0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0124.706] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x100) returned 0xc4090 [0124.706] RtlInitializeSListHead (in: ListHead=0x1ef8410 | out: ListHead=0x1ef8410) [0124.718] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77160000 [0124.719] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0124.719] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0124.719] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0124.719] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0124.719] GetProcAddress (hModule=0x77160000, lpProcName="InitializeCriticalSectionEx") returned 0x77176e50 [0124.719] GetProcAddress (hModule=0x77160000, lpProcName="InitOnceExecuteOnce") returned 0x77165d60 [0124.719] GetProcAddress (hModule=0x77160000, lpProcName="CreateEventExW") returned 0x771ac970 [0124.719] GetProcAddress (hModule=0x77160000, lpProcName="CreateSemaphoreW") returned 0x77168e00 [0124.719] GetProcAddress (hModule=0x77160000, lpProcName="CreateSemaphoreExW") returned 0x771ac8a0 [0124.719] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolTimer") returned 0x77167e90 [0124.719] GetProcAddress (hModule=0x77160000, lpProcName="SetThreadpoolTimer") returned 0x7729b2f0 [0124.720] GetProcAddress (hModule=0x77160000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x7728d8c0 [0124.720] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolTimer") returned 0x7728d620 [0124.720] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolWait") returned 0x771abe60 [0124.720] GetProcAddress (hModule=0x77160000, lpProcName="SetThreadpoolWait") returned 0x7729e170 [0124.720] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolWait") returned 0x7728c540 [0124.720] GetProcAddress (hModule=0x77160000, lpProcName="FlushProcessWriteBuffers") returned 0x772d1f80 [0124.720] GetProcAddress (hModule=0x77160000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x7734ec60 [0124.720] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentProcessorNumber") returned 0x772d0040 [0124.720] GetProcAddress (hModule=0x77160000, lpProcName="CreateSymbolicLinkW") returned 0x771d5af0 [0124.720] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentPackageId") returned 0x0 [0124.720] GetProcAddress (hModule=0x77160000, lpProcName="GetTickCount64") returned 0x77168ac0 [0124.720] GetProcAddress (hModule=0x77160000, lpProcName="GetFileInformationByHandleEx") returned 0x771712f0 [0124.721] GetProcAddress (hModule=0x77160000, lpProcName="SetFileInformationByHandle") returned 0x771ac120 [0124.721] GetProcAddress (hModule=0x77160000, lpProcName="GetSystemTimePreciseAsFileTime") returned 0x0 [0124.721] GetProcAddress (hModule=0x77160000, lpProcName="InitializeConditionVariable") returned 0x772b84f0 [0124.721] GetProcAddress (hModule=0x77160000, lpProcName="WakeConditionVariable") returned 0x7733bab0 [0124.721] GetProcAddress (hModule=0x77160000, lpProcName="WakeAllConditionVariable") returned 0x772a00b0 [0124.721] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableCS") returned 0x771ab610 [0124.721] GetProcAddress (hModule=0x77160000, lpProcName="InitializeSRWLock") returned 0x772b84f0 [0124.721] GetProcAddress (hModule=0x77160000, lpProcName="AcquireSRWLockExclusive") returned 0x772a8020 [0124.721] GetProcAddress (hModule=0x77160000, lpProcName="TryAcquireSRWLockExclusive") returned 0x7732bdd0 [0124.721] GetProcAddress (hModule=0x77160000, lpProcName="ReleaseSRWLockExclusive") returned 0x772a8050 [0124.721] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableSRW") returned 0x771ab5c0 [0124.722] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolWork") returned 0x77165d30 [0124.722] GetProcAddress (hModule=0x77160000, lpProcName="SubmitThreadpoolWork") returned 0x77292330 [0124.722] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolWork") returned 0x772921f0 [0124.722] GetProcAddress (hModule=0x77160000, lpProcName="CompareStringEx") returned 0x771abd60 [0124.722] GetProcAddress (hModule=0x77160000, lpProcName="GetLocaleInfoEx") returned 0x771635e0 [0124.722] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0124.722] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77160000 [0124.722] GetProcAddress (hModule=0x77160000, lpProcName="InitializeConditionVariable") returned 0x772b84f0 [0124.722] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableCS") returned 0x771ab610 [0124.722] GetProcAddress (hModule=0x77160000, lpProcName="WakeAllConditionVariable") returned 0x772a00b0 [0124.722] RtlInitializeConditionVariable () returned 0x772a00b0 [0124.735] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x1000) returned 0xc41a0 [0124.748] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x1ef8fb0, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0xe0) returned 0xb2ee0 [0124.748] GetEnvironmentStringsW () returned 0xc51b0* [0124.748] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1433, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1433 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x599) returned 0xc5cf0 [0124.748] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1433, lpMultiByteStr=0xc5cf0, cbMultiByte=1433, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1433 [0124.748] FreeEnvironmentStringsW (penv=0xc51b0) returned 1 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x128) returned 0xc51b0 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x1f) returned 0xb5c80 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x2b) returned 0xc3750 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x31) returned 0xc3790 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x3c) returned 0xc00c0 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x31) returned 0xc37d0 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x18) returned 0xb0ea0 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x24) returned 0xb5cb0 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x14) returned 0xc52e0 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0xd) returned 0xc5300 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x1a) returned 0xb5ce0 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x2e) returned 0xc3810 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x19) returned 0xb5d10 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x17) returned 0xc5320 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0xe) returned 0xc5340 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0xce) returned 0xc5360 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x3e) returned 0xc0110 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x1d) returned 0xb5d40 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x48) returned 0xc0160 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x12) returned 0xc5440 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x18) returned 0xc5460 [0124.748] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x1b) returned 0xb5d70 [0124.749] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x1e) returned 0xb5da0 [0124.749] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x29) returned 0xc3850 [0124.749] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x1e) returned 0xb5dd0 [0124.749] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x6b) returned 0xbbdc0 [0124.749] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x17) returned 0xc5480 [0124.749] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0xf) returned 0xc54a0 [0124.749] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x16) returned 0xc54c0 [0124.749] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x2a) returned 0xc3890 [0124.749] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x29) returned 0xc38d0 [0124.749] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x16) returned 0xc54e0 [0124.749] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x13) returned 0xc62d0 [0124.749] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x1f) returned 0xb5e00 [0124.749] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x12) returned 0xc62f0 [0124.749] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x18) returned 0xc6310 [0124.749] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x46) returned 0xc01b0 [0124.750] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc5cf0 | out: hHeap=0x90000) returned 1 [0124.775] GetCurrentThread () returned 0xfffffffffffffffe [0124.775] GetThreadTimes (in: hThread=0xfffffffffffffffe, lpCreationTime=0x2ef2d8, lpExitTime=0x2ef2d0, lpKernelTime=0x2ef2d0, lpUserTime=0x2ef2d0 | out: lpCreationTime=0x2ef2d8, lpExitTime=0x2ef2d0, lpKernelTime=0x2ef2d0, lpUserTime=0x2ef2d0) returned 1 [0124.775] RtlInitializeSListHead (in: ListHead=0x1ef8aa0 | out: ListHead=0x1ef8aa0) [0124.799] RtlPcToFileHeader (in: PcValue=0x1edfef8, BaseOfImage=0x2ef200 | out: BaseOfImage=0x2ef200*=0x1db0000) returned 0x1db0000 [0124.836] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x50) returned 0xc6aa0 [0124.836] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x98 [0124.836] RtlWakeAllConditionVariable () returned 0x772a00b0 [0124.848] RtlWakeAllConditionVariable () returned 0x772a00b0 [0124.848] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x2ef150 | out: lpWSAData=0x2ef150) returned 0 [0124.974] RtlWakeAllConditionVariable () returned 0x772a00b0 [0124.974] RtlWakeAllConditionVariable () returned 0x772a00b0 [0124.991] RtlSizeHeap (HeapHandle=0x90000, Flags=0x0, MemoryPointer=0xc4090) returned 0x100 [0124.991] RtlReAllocateHeap (Heap=0x90000, Flags=0x0, Ptr=0xc4090, Size=0x200) returned 0xc5500 [0125.084] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77280000 [0125.084] GetProcAddress (hModule=0x77280000, lpProcName="NtCreateThreadEx") returned 0x772d1d90 [0125.084] GetProcAddress (hModule=0x77280000, lpProcName="RtlNewSecurityObjectWithMultipleInheritance") returned 0x77364540 [0125.084] GetCurrentProcess () returned 0xffffffffffffffff [0125.084] NtCreateThreadEx (in: ThreadHandle=0x1ef9890, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffffffffffff, lpStartAddress=0x77364540, lpParameter=0x0, CreateSuspended=1, StackZeroBits=0x0, SizeOfStackCommit=0x0, SizeOfStackReserve=0x0, lpBytesBuffer=0x0 | out: ThreadHandle=0x1ef9890*=0xb0, lpBytesBuffer=0x0) returned 0x0 [0125.085] GetThreadContext (in: hThread=0xb0, lpContext=0x2eee80 | out: lpContext=0x2eee80*(P1Home=0xc6ea0, P2Home=0x30, P3Home=0x10, P4Home=0x7fefd4d30f5, P5Home=0x21, P6Home=0x0, ContextFlags=0x10000b, MxCsr=0x1f80, SegCs=0x33, SegDs=0xc, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x200, Dr0=0x0, Dr1=0xc4090, Dr2=0x772d3488, Dr3=0x90230, Dr6=0x90388, Dr7=0xe00fa0001, Rax=0x0, Rcx=0x77364540, Rdx=0x0, Rbx=0x0, Rsp=0x259fa58, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x772ac500, FltSave.ControlWord=0x27f, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x1f80, FltSave.MxCsr_Mask=0xffff, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x27f, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0xc4090, VectorRegister.High=0xc4090, VectorControl=0x0, DebugControl=0x1e37129, LastBranchToRip=0x0, LastBranchFromRip=0x2ef838, LastExceptionToRip=0x0, LastExceptionFromRip=0x1)) returned 1 [0125.169] SetThreadContext (hThread=0xb0, lpContext=0x2eee80*(P1Home=0xc6ea0, P2Home=0x30, P3Home=0x10, P4Home=0x7fefd4d30f5, P5Home=0x21, P6Home=0x0, ContextFlags=0x10000b, MxCsr=0x1f80, SegCs=0x33, SegDs=0xc, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x200, Dr0=0x0, Dr1=0xc4090, Dr2=0x772d3488, Dr3=0x90230, Dr6=0x90388, Dr7=0xe00fa0001, Rax=0x0, Rcx=0x1dc365c, Rdx=0x0, Rbx=0x0, Rsp=0x259fa58, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x772ac500, FltSave.ControlWord=0x27f, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x1f80, FltSave.MxCsr_Mask=0xffff, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x27f, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0xc4090, VectorRegister.High=0xc4090, VectorControl=0x0, DebugControl=0x1e37129, LastBranchToRip=0x0, LastBranchFromRip=0x2ef838, LastExceptionToRip=0x0, LastExceptionFromRip=0x1)) returned 1 [0125.169] ResumeThread (hThread=0xb0) returned 0x1 [0125.170] GetProcAddress (hModule=0x1db0000, lpProcName="setPath") returned 0x1dc4604 [0125.170] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x70) returned 0xbbe40 [0125.170] SetEvent (hEvent=0x98) returned 1 [0125.189] WaitForSingleObject (hHandle=0xb0, dwMilliseconds=0xffffffff) returned 0x0 [0137.472] RtlExitUserProcess (ExitCode=0x0) [0137.478] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xacfb0 | out: hHeap=0x90000) returned 1 [0137.550] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc1a80 | out: hHeap=0x90000) returned 1 [0137.634] WSACleanup () returned 0 [0137.678] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xbbe40 | out: hHeap=0x90000) returned 1 [0137.678] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6aa0 | out: hHeap=0x90000) returned 1 [0137.754] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc9660 | out: hHeap=0x90000) returned 1 [0137.755] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc83d0 | out: hHeap=0x90000) returned 1 [0137.755] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6350 | out: hHeap=0x90000) returned 1 [0137.755] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc4090 | out: hHeap=0x90000) returned 1 [0137.756] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc3e10 | out: hHeap=0x90000) returned 1 [0137.789] RtlInterlockedFlushSList (in: ListHead=0x1ef8410 | out: ListHead=0x1ef8410) returned 0x0 [0137.790] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc5500 | out: hHeap=0x90000) returned 1 [0137.874] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc41a0 | out: hHeap=0x90000) returned 1 [0137.875] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0137.876] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xe0cc0 | out: hHeap=0x90000) returned 1 [0137.876] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xf2f40 | out: hHeap=0x90000) returned 1 [0137.876] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc40b0 | out: hHeap=0x90000) returned 1 [0137.877] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc93a0 | out: hHeap=0x90000) returned 1 [0137.877] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xf6ba0 | out: hHeap=0x90000) returned 1 [0137.901] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0137.902] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xbbfc0 | out: hHeap=0x90000) returned 1 [0137.902] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xbc040 | out: hHeap=0x90000) returned 1 [0137.903] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xbc0c0 | out: hHeap=0x90000) returned 1 [0137.948] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5c80 | out: hHeap=0x90000) returned 1 [0137.948] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc3750 | out: hHeap=0x90000) returned 1 [0137.949] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc3790 | out: hHeap=0x90000) returned 1 [0137.950] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc00c0 | out: hHeap=0x90000) returned 1 [0137.951] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc37d0 | out: hHeap=0x90000) returned 1 [0137.951] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb0ea0 | out: hHeap=0x90000) returned 1 [0137.952] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5cb0 | out: hHeap=0x90000) returned 1 [0137.952] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc52e0 | out: hHeap=0x90000) returned 1 [0137.952] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc5300 | out: hHeap=0x90000) returned 1 [0137.952] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5ce0 | out: hHeap=0x90000) returned 1 [0137.952] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc3810 | out: hHeap=0x90000) returned 1 [0137.952] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5d10 | out: hHeap=0x90000) returned 1 [0137.952] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc5320 | out: hHeap=0x90000) returned 1 [0137.952] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc5340 | out: hHeap=0x90000) returned 1 [0137.953] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc5360 | out: hHeap=0x90000) returned 1 [0137.954] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0110 | out: hHeap=0x90000) returned 1 [0137.954] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5d40 | out: hHeap=0x90000) returned 1 [0137.954] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0160 | out: hHeap=0x90000) returned 1 [0137.954] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc5440 | out: hHeap=0x90000) returned 1 [0137.954] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc5460 | out: hHeap=0x90000) returned 1 [0137.954] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5d70 | out: hHeap=0x90000) returned 1 [0137.954] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5da0 | out: hHeap=0x90000) returned 1 [0137.955] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc3850 | out: hHeap=0x90000) returned 1 [0137.955] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5dd0 | out: hHeap=0x90000) returned 1 [0137.956] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xbbdc0 | out: hHeap=0x90000) returned 1 [0137.956] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc5480 | out: hHeap=0x90000) returned 1 [0137.956] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc54a0 | out: hHeap=0x90000) returned 1 [0137.956] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc54c0 | out: hHeap=0x90000) returned 1 [0137.956] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc3890 | out: hHeap=0x90000) returned 1 [0137.957] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc38d0 | out: hHeap=0x90000) returned 1 [0137.957] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc54e0 | out: hHeap=0x90000) returned 1 [0137.957] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc62d0 | out: hHeap=0x90000) returned 1 [0137.957] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e00 | out: hHeap=0x90000) returned 1 [0137.958] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc62f0 | out: hHeap=0x90000) returned 1 [0137.958] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6310 | out: hHeap=0x90000) returned 1 [0137.958] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc01b0 | out: hHeap=0x90000) returned 1 [0137.959] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc51b0 | out: hHeap=0x90000) returned 1 [0137.959] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc3e60 | out: hHeap=0x90000) returned 1 [0137.960] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb2ee0 | out: hHeap=0x90000) returned 1 [0137.987] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc1e50 | out: hHeap=0x90000) returned 1 [0137.988] FreeLibrary (hLibModule=0x7fefa010000) returned 1 [0137.988] FreeLibrary (hLibModule=0x77160000) returned 1 [0138.010] FreeLibrary (hLibModule=0x7fefa010000) returned 1 [0138.010] FreeLibrary (hLibModule=0x77160000) returned 1 Thread: id = 174 os_tid = 0x2ac [0125.190] GetLastError () returned 0x57 [0125.191] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0125.191] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x78) returned 0xbbec0 [0125.191] SetLastError (dwErrCode=0x57) [0125.191] GetLastError () returned 0x57 [0125.191] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x3c8) returned 0xc5b30 [0125.191] SetLastError (dwErrCode=0x57) [0125.385] LoadLibraryExW (lpLibFileName="api-ms-win-core-sysinfo-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0125.388] GetLastError () returned 0x7e [0125.407] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x259f4e0 | out: lpSystemTimeAsFileTime=0x259f4e0*(dwLowDateTime=0x3e452240, dwHighDateTime=0x1d937fd)) [0125.522] GetLastError () returned 0x7e [0125.536] SetLastError (dwErrCode=0x7e) [0125.536] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0125.654] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x70) returned 0xbbf40 [0125.866] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x260) returned 0xc5f00 [0126.108] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.234] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x38) returned 0xc3e10 [0126.296] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x2) returned 0xc4090 [0126.311] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc4090 | out: hHeap=0x90000) returned 1 [0126.311] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x2) returned 0xc4090 [0126.336] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x30) returned 0xc83d0 [0126.413] GetLastError () returned 0x7e [0126.413] SetLastError (dwErrCode=0x7e) [0126.425] GetLastError () returned 0x7e [0126.426] SetLastError (dwErrCode=0x7e) [0126.498] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x158) returned 0xc93a0 [0126.498] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x6a6) returned 0xc9500 [0126.499] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc9500 | out: hHeap=0x90000) returned 1 [0126.499] GetLastError () returned 0x7e [0126.499] SetLastError (dwErrCode=0x7e) [0126.524] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x6) returned 0xc40b0 [0126.525] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x2) returned 0xc40d0 [0126.648] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x4) returned 0xc40f0 [0126.648] GetLastError () returned 0x7e [0126.648] SetLastError (dwErrCode=0x7e) [0126.648] GetLastError () returned 0x7e [0126.648] SetLastError (dwErrCode=0x7e) [0126.648] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x158) returned 0xc9500 [0126.648] GetLastError () returned 0x7e [0126.648] SetLastError (dwErrCode=0x7e) [0126.747] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x6a6) returned 0xc9660 [0126.747] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc9660 | out: hHeap=0x90000) returned 1 [0126.749] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc40b0 | out: hHeap=0x90000) returned 1 [0126.749] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc93a0 | out: hHeap=0x90000) returned 1 [0126.749] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc40f0 | out: hHeap=0x90000) returned 1 [0126.749] GetLastError () returned 0x7e [0126.750] SetLastError (dwErrCode=0x7e) [0126.750] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x6) returned 0xc40b0 [0126.750] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x2) returned 0xc40f0 [0126.750] GetLastError () returned 0x7e [0126.750] SetLastError (dwErrCode=0x7e) [0126.750] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x200) returned 0xc9660 [0126.750] GetLastError () returned 0x7e [0126.750] SetLastError (dwErrCode=0x7e) [0126.750] GetLastError () returned 0x7e [0126.750] SetLastError (dwErrCode=0x7e) [0126.751] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x4) returned 0xc4110 [0126.751] GetLastError () returned 0x7e [0126.751] SetLastError (dwErrCode=0x7e) [0126.751] GetLastError () returned 0x7e [0126.751] SetLastError (dwErrCode=0x7e) [0126.751] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x158) returned 0xc93a0 [0126.751] GetLastError () returned 0x7e [0126.751] SetLastError (dwErrCode=0x7e) [0126.751] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x6a6) returned 0xc9870 [0126.752] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc9870 | out: hHeap=0x90000) returned 1 [0126.752] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc40b0 | out: hHeap=0x90000) returned 1 [0126.752] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc9500 | out: hHeap=0x90000) returned 1 [0126.752] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc4110 | out: hHeap=0x90000) returned 1 [0126.752] GetLastError () returned 0x7e [0126.753] SetLastError (dwErrCode=0x7e) [0126.753] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x6) returned 0xc40b0 [0126.753] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc40f0 | out: hHeap=0x90000) returned 1 [0126.753] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc40d0 | out: hHeap=0x90000) returned 1 [0126.753] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6350 [0126.753] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.753] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x25a) returned 0xc9870 [0126.769] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.877] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5ec0 [0126.877] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5ef0 [0126.878] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.892] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5ec0 | out: hHeap=0x90000) returned 1 [0126.892] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5ec0 [0126.892] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x60) returned 0xbd5e0 [0126.892] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.892] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x80) returned 0xc40d0 [0126.893] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xbd5e0 | out: hHeap=0x90000) returned 1 [0126.893] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5f20 [0126.893] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0xc0) returned 0xc6170 [0126.894] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc40d0 | out: hHeap=0x90000) returned 1 [0126.894] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5f50 [0126.894] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5f80 [0126.894] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x120) returned 0xc9500 [0126.894] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6170 | out: hHeap=0x90000) returned 1 [0126.894] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5fb0 [0126.894] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5fe0 [0126.894] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x1a0) returned 0xc9ae0 [0126.895] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc9500 | out: hHeap=0x90000) returned 1 [0126.895] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb6010 [0126.895] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb6040 [0126.895] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb6070 [0126.895] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb60a0 [0126.895] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x260) returned 0xc9c90 [0126.895] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc9ae0 | out: hHeap=0x90000) returned 1 [0126.895] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb60d0 [0126.896] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb6100 [0126.896] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb6130 [0126.896] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb6160 [0126.896] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xc9f30 [0126.896] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xc9f60 [0126.896] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x380) returned 0xcab00 [0126.897] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc9c90 | out: hHeap=0x90000) returned 1 [0126.897] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xc9f90 [0126.897] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xc9fc0 [0126.897] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xc9ff0 [0126.897] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xca020 [0126.897] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xca050 [0126.897] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xca080 [0126.897] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xca0b0 [0126.897] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xca0e0 [0126.897] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xca110 [0126.897] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x540) returned 0xcae90 [0126.898] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xcab00 | out: hHeap=0x90000) returned 1 [0126.898] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xca140 [0126.898] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xca170 [0126.898] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xca1a0 [0126.898] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xca1d0 [0126.898] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xca200 [0126.898] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.899] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc9870 | out: hHeap=0x90000) returned 1 [0126.899] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.899] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.899] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.899] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.900] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x12) returned 0xc6390 [0126.900] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.900] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.900] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.900] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.900] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.900] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.900] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0250 [0126.901] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.901] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.901] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.901] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x11) returned 0xc6390 [0126.901] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.901] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.902] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.902] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.902] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.902] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.902] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x80) returned 0xc40d0 [0126.902] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0250 | out: hHeap=0x90000) returned 1 [0126.903] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.904] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.904] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.904] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0xf) returned 0xc6390 [0126.904] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.904] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.905] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.905] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.905] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.905] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.905] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0xc0) returned 0xc6170 [0126.905] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc40d0 | out: hHeap=0x90000) returned 1 [0126.906] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.906] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.906] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.906] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6390 [0126.906] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.906] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.907] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.907] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.907] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.907] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.907] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x100) returned 0xc9500 [0126.907] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6170 | out: hHeap=0x90000) returned 1 [0126.908] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.908] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.908] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.909] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x13) returned 0xc6390 [0126.909] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.909] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.909] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.909] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.909] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.909] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.909] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x180) returned 0xcab00 [0126.910] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc9500 | out: hHeap=0x90000) returned 1 [0126.911] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.911] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.911] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.965] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x12) returned 0xc6390 [0126.965] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.965] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.966] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.966] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.966] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.966] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.966] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.966] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.966] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.967] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6390 [0126.967] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.967] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.967] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.967] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.967] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.967] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.967] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x240) returned 0xc9870 [0126.968] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xcab00 | out: hHeap=0x90000) returned 1 [0126.969] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.969] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.969] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.969] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0xe) returned 0xc6390 [0126.969] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.969] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.970] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.970] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.970] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.970] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.971] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.971] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.971] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.971] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x12) returned 0xc6390 [0126.971] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.971] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.972] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.972] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.972] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.972] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.973] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.973] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.973] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.973] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x11) returned 0xc6390 [0126.973] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.973] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.974] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.974] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.974] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.974] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.974] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x340) returned 0xcab00 [0126.974] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc9870 | out: hHeap=0x90000) returned 1 [0126.975] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.975] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.975] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.975] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x13) returned 0xc6390 [0126.975] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.975] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.976] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.976] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.976] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.976] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.976] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.977] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.977] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.977] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x12) returned 0xc6390 [0126.977] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.978] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.978] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.978] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.978] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.978] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.979] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.979] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.979] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.979] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x13) returned 0xc6390 [0126.979] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.980] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.980] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.980] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.980] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.980] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.981] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.981] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.981] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.981] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x12) returned 0xc6390 [0126.981] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.981] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.982] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.982] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.982] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.982] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.982] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x4c0) returned 0xc9870 [0126.983] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xcab00 | out: hHeap=0x90000) returned 1 [0126.983] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.983] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.984] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.984] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x11) returned 0xc6390 [0126.984] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.984] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.985] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.985] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.985] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.985] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.985] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.985] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.985] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.986] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x12) returned 0xc6390 [0126.986] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.986] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.986] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.986] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.986] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.986] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.987] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.987] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.987] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.987] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6390 [0126.987] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.987] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.988] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.988] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.988] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.988] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.988] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.988] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.989] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.989] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6390 [0126.989] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.989] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.989] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.990] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.990] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.990] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.990] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.990] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.990] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.991] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x11) returned 0xc6390 [0126.991] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.991] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.991] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.992] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.992] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.992] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.992] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.992] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.993] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.993] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x11) returned 0xc6390 [0126.993] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.993] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.993] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.994] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.994] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.994] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.994] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x700) returned 0xcb3e0 [0126.995] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc9870 | out: hHeap=0x90000) returned 1 [0126.995] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.995] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.996] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.996] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x12) returned 0xc6390 [0126.996] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.996] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.997] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.997] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.997] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.997] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.997] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.998] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0126.998] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0126.998] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x11) returned 0xc6390 [0126.998] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0126.998] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0126.998] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0126.998] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0126.998] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0126.998] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0126.999] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0126.999] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0127.077] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0127.077] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x11) returned 0xc6390 [0127.078] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0127.078] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0127.078] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0127.078] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0127.078] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0127.078] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0127.079] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0127.079] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0127.079] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0127.079] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x12) returned 0xc6390 [0127.079] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0127.079] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0127.080] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0127.080] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0127.080] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0127.080] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0127.080] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0127.080] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0127.080] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0127.080] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x11) returned 0xc6390 [0127.080] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0127.080] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0127.081] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0127.081] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0127.081] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0127.081] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0127.081] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0127.081] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0127.081] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0127.081] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6390 [0127.082] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0127.082] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0127.082] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0127.082] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0127.082] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0127.082] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0127.082] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0127.082] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0127.083] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0127.083] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x12) returned 0xc6390 [0127.083] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0127.083] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0127.083] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0127.083] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0127.083] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0127.083] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0127.084] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0127.084] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0127.084] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0127.084] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x11) returned 0xc6390 [0127.084] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0127.084] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0127.085] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0127.085] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0127.085] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0127.085] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0127.086] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0127.086] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0127.087] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0127.087] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x13) returned 0xc6390 [0127.087] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0127.087] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0127.088] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0127.088] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0127.088] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0127.088] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0127.088] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0xa80) returned 0xcbaf0 [0127.089] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xcb3e0 | out: hHeap=0x90000) returned 1 [0127.090] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0127.090] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0127.090] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0127.090] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6390 [0127.090] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0127.090] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0127.091] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0127.091] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0127.091] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0127.091] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0127.092] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0127.092] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0127.092] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0127.092] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x11) returned 0xc6390 [0127.092] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0127.092] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0127.093] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0127.093] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0127.093] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0127.093] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0127.093] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0127.093] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0127.093] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0127.094] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x13) returned 0xc6390 [0127.094] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0127.094] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0127.094] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0127.094] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0127.094] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0127.094] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0127.095] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0127.095] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6330 [0127.095] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x10) returned 0xc6370 [0127.095] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x12) returned 0xc6390 [0127.095] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xb5e90 [0127.095] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x40) returned 0xc0200 [0127.096] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5e90 | out: hHeap=0x90000) returned 1 [0127.096] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6390 | out: hHeap=0x90000) returned 1 [0127.096] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6370 | out: hHeap=0x90000) returned 1 [0127.097] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6330 | out: hHeap=0x90000) returned 1 [0127.097] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc0200 | out: hHeap=0x90000) returned 1 [0127.098] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5ef0 | out: hHeap=0x90000) returned 1 [0127.098] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5ec0 | out: hHeap=0x90000) returned 1 [0127.099] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5f20 | out: hHeap=0x90000) returned 1 [0127.100] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5f50 | out: hHeap=0x90000) returned 1 [0127.101] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5f80 | out: hHeap=0x90000) returned 1 [0127.102] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5fb0 | out: hHeap=0x90000) returned 1 [0127.103] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb5fe0 | out: hHeap=0x90000) returned 1 [0127.103] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb6010 | out: hHeap=0x90000) returned 1 [0127.104] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb6040 | out: hHeap=0x90000) returned 1 [0127.105] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb6070 | out: hHeap=0x90000) returned 1 [0127.106] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb60a0 | out: hHeap=0x90000) returned 1 [0127.107] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb60d0 | out: hHeap=0x90000) returned 1 [0127.108] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb6100 | out: hHeap=0x90000) returned 1 [0127.109] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb6130 | out: hHeap=0x90000) returned 1 [0127.109] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xb6160 | out: hHeap=0x90000) returned 1 [0127.110] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc9f30 | out: hHeap=0x90000) returned 1 [0127.118] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc9f60 | out: hHeap=0x90000) returned 1 [0127.118] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc9f90 | out: hHeap=0x90000) returned 1 [0127.118] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc9fc0 | out: hHeap=0x90000) returned 1 [0127.119] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc9ff0 | out: hHeap=0x90000) returned 1 [0127.119] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xca020 | out: hHeap=0x90000) returned 1 [0127.199] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xca050 | out: hHeap=0x90000) returned 1 [0127.200] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xca080 | out: hHeap=0x90000) returned 1 [0127.201] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xca0b0 | out: hHeap=0x90000) returned 1 [0127.202] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xca0e0 | out: hHeap=0x90000) returned 1 [0127.202] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xca110 | out: hHeap=0x90000) returned 1 [0127.203] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xca140 | out: hHeap=0x90000) returned 1 [0127.204] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xca170 | out: hHeap=0x90000) returned 1 [0127.204] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xca1a0 | out: hHeap=0x90000) returned 1 [0127.205] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xca1d0 | out: hHeap=0x90000) returned 1 [0127.205] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xca200 | out: hHeap=0x90000) returned 1 [0127.206] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xcae90 | out: hHeap=0x90000) returned 1 [0127.207] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc5f00 | out: hHeap=0x90000) returned 1 [0127.207] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0127.216] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0132.635] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77280000 [0132.635] GetProcAddress (hModule=0x77280000, lpProcName="ZwAllocateVirtualMemory") returned 0x772d1490 [0132.636] GetProcAddress (hModule=0x77280000, lpProcName="ZwWriteVirtualMemory") returned 0x772d16b0 [0132.636] GetProcAddress (hModule=0x77280000, lpProcName="ZwReadVirtualMemory") returned 0x772d1700 [0132.636] GetProcAddress (hModule=0x77280000, lpProcName="ZwGetContextThread") returned 0x772d1fe0 [0132.636] GetProcAddress (hModule=0x77280000, lpProcName="ZwSetContextThread") returned 0x772d2840 [0132.816] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x30) returned 0xd7ff0 [0132.881] CoCreateInstance (in: rclsid=0x1e957e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1e957f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x259f390 | out: ppv=0x259f390*=0xc66b0) returned 0x0 [0132.905] WbemLocator:IWbemLocator:ConnectServer (in: This=0xc66b0, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x259f388 | out: ppNamespace=0x259f388*=0xf35f0) returned 0x0 [0133.599] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x7fefd730000 [0133.599] GetProcAddress (hModule=0x7fefd730000, lpProcName="CoSetProxyBlanket") returned 0x7fefd76bf00 [0133.599] CoSetProxyBlanket (pProxy=0xf35f0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0133.600] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x18) returned 0xc69b0 [0133.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xd7ff0, cbMultiByte=35, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 35 [0133.657] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xd7ff0, cbMultiByte=35, lpWideCharStr=0x259f280, cchWideChar=35 | out: lpWideCharStr="SELECT * FROM Win32_ComputerSystem") returned 35 [0133.658] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x18) returned 0xc69d0 [0133.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1eab258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0133.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1eab258, cbMultiByte=4, lpWideCharStr=0x259f2c0, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0133.658] IWbemServices:ExecQuery (in: This=0xf35f0, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystem", lFlags=48, pCtx=0x0, ppEnum=0x259f398 | out: ppEnum=0x259f398*=0xfa5b0) returned 0x0 [0133.721] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc69d0 | out: hHeap=0x90000) returned 1 [0133.721] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc69b0 | out: hHeap=0x90000) returned 1 [0133.721] IEnumWbemClassObject:Next (in: This=0xfa5b0, lTimeout=-1, uCount=0x1, apObjects=0x259f3a0, puReturned=0x259f4b8 | out: apObjects=0x259f3a0*=0xfe3c0, puReturned=0x259f4b8*=0x1) returned 0x0 [0133.816] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x259f4f0, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0133.880] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x259f4f0, cbMultiByte=4, lpWideCharStr=0x259f2b8, cchWideChar=4 | out: lpWideCharStr="Name") returned 4 [0133.907] IWbemClassObject:Get (in: This=0xfe3c0, wszName="Name", lFlags=0, pVal=0x259f440*(varType=0x0, wReserved1=0xd, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x259f440*(varType=0x8, wReserved1=0xd, wReserved2=0x0, wReserved3=0x0, varVal1="Q9IATRKPRH", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0133.963] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x20) returned 0xdbcd0 [0133.963] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Q9IATRKPRH", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0133.977] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Q9IATRKPRH", cchWideChar=10, lpMultiByteStr=0x259f2d8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Q9IATRKPRH", lpUsedDefaultChar=0x0) returned 10 [0133.978] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xdbcd0 | out: hHeap=0x90000) returned 1 [0133.978] IUnknown:Release (This=0xfe3c0) returned 0x0 [0133.978] WbemLocator:IUnknown:Release (This=0xf35f0) returned 0x0 [0134.019] WbemLocator:IUnknown:Release (This=0xc66b0) returned 0x0 [0134.019] IUnknown:Release (This=0xfa5b0) returned 0x0 [0134.021] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xd7ff0 | out: hHeap=0x90000) returned 1 [0134.021] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x30) returned 0xd7ff0 [0134.021] CoCreateInstance (in: rclsid=0x1e957e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1e957f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x259f390 | out: ppv=0x259f390*=0xc69d0) returned 0x0 [0134.021] WbemLocator:IWbemLocator:ConnectServer (in: This=0xc69d0, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x259f388 | out: ppNamespace=0x259f388*=0xf35f0) returned 0x0 [0134.158] CoSetProxyBlanket (pProxy=0xf35f0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0134.158] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x18) returned 0xc6a30 [0134.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xd7ff0, cbMultiByte=42, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 42 [0134.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xd7ff0, cbMultiByte=42, lpWideCharStr=0x259f270, cchWideChar=42 | out: lpWideCharStr="SELECT * FROM Win32_ComputerSystemProduct") returned 42 [0134.158] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x18) returned 0xc66b0 [0134.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1eab258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0134.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1eab258, cbMultiByte=4, lpWideCharStr=0x259f2c0, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0134.158] IWbemServices:ExecQuery (in: This=0xf35f0, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystemProduct", lFlags=48, pCtx=0x0, ppEnum=0x259f398 | out: ppEnum=0x259f398*=0xfa5b0) returned 0x0 [0134.161] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc66b0 | out: hHeap=0x90000) returned 1 [0134.161] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc6a30 | out: hHeap=0x90000) returned 1 [0134.161] IEnumWbemClassObject:Next (in: This=0xfa5b0, lTimeout=-1, uCount=0x1, apObjects=0x259f3a0, puReturned=0x259f4b8 | out: apObjects=0x259f3a0*=0xfc330, puReturned=0x259f4b8*=0x1) returned 0x0 [0134.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x259f4f0, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0134.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x259f4f0, cbMultiByte=4, lpWideCharStr=0x259f2b8, cchWideChar=4 | out: lpWideCharStr="UUID") returned 4 [0134.280] IWbemClassObject:Get (in: This=0xfc330, wszName="UUID", lFlags=0, pVal=0x259f440*(varType=0x0, wReserved1=0xd, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x259f440*(varType=0x8, wReserved1=0xd, wReserved2=0x0, wReserved3=0x0, varVal1="4C4C4544-0050-3710-8058-CAC04F59344A", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0134.280] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x50) returned 0xd76d0 [0134.281] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4C4C4544-0050-3710-8058-CAC04F59344A", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0134.281] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x30) returned 0xedcf0 [0134.281] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4C4C4544-0050-3710-8058-CAC04F59344A", cchWideChar=36, lpMultiByteStr=0xedcf0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="4C4C4544-0050-3710-8058-CAC04F59344A", lpUsedDefaultChar=0x0) returned 36 [0134.282] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xd76d0 | out: hHeap=0x90000) returned 1 [0134.282] IUnknown:Release (This=0xfc330) returned 0x0 [0134.283] WbemLocator:IUnknown:Release (This=0xf35f0) returned 0x0 [0134.284] WbemLocator:IUnknown:Release (This=0xc69d0) returned 0x0 [0134.284] IUnknown:Release (This=0xfa5b0) returned 0x0 [0134.290] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xd7ff0 | out: hHeap=0x90000) returned 1 [0134.291] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x30) returned 0xd7ff0 [0134.698] GetLastError () returned 0x0 [0134.698] SetLastError (dwErrCode=0x0) [0134.916] GetLastError () returned 0x0 [0134.917] SetLastError (dwErrCode=0x0) [0134.917] GetLastError () returned 0x0 [0134.917] SetLastError (dwErrCode=0x0) [0134.917] GetLastError () returned 0x0 [0134.917] SetLastError (dwErrCode=0x0) [0134.917] GetLastError () returned 0x0 [0134.917] SetLastError (dwErrCode=0x0) [0134.917] GetLastError () returned 0x0 [0134.917] SetLastError (dwErrCode=0x0) [0134.917] GetLastError () returned 0x0 [0134.917] SetLastError (dwErrCode=0x0) [0134.917] GetLastError () returned 0x0 [0134.917] SetLastError (dwErrCode=0x0) [0134.917] GetLastError () returned 0x0 [0134.917] SetLastError (dwErrCode=0x0) [0134.917] GetLastError () returned 0x0 [0134.917] SetLastError (dwErrCode=0x0) [0134.917] GetLastError () returned 0x0 [0134.917] SetLastError (dwErrCode=0x0) [0134.917] GetLastError () returned 0x0 [0134.917] SetLastError (dwErrCode=0x0) [0134.918] GetLastError () returned 0x0 [0134.918] SetLastError (dwErrCode=0x0) [0134.918] GetLastError () returned 0x0 [0134.918] SetLastError (dwErrCode=0x0) [0134.918] GetLastError () returned 0x0 [0134.918] SetLastError (dwErrCode=0x0) [0134.918] GetLastError () returned 0x0 [0134.918] SetLastError (dwErrCode=0x0) [0134.918] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x30) returned 0xedcb0 [0134.918] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xedcb0, cbMultiByte=32, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 32 [0134.918] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x0, Size=0x50) returned 0xd73d0 [0134.918] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xedcb0, cbMultiByte=32, lpWideCharStr=0xd73d0, cchWideChar=32 | out: lpWideCharStr="aa360b8ffe2aca5f0f5c1f9ffd6f6a58") returned 32 [0134.918] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="aa360b8ffe2aca5f0f5c1f9ffd6f6a58") returned 0x17c [0134.919] GetLastError () returned 0xb7 [0134.919] CloseHandle (hObject=0x17c) returned 1 [0134.920] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xd73d0 | out: hHeap=0x90000) returned 1 [0135.258] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xedcb0 | out: hHeap=0x90000) returned 1 [0135.259] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xd7ff0 | out: hHeap=0x90000) returned 1 [0135.260] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xedcf0 | out: hHeap=0x90000) returned 1 [0135.261] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xcbaf0 | out: hHeap=0x90000) returned 1 [0135.262] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xbbf40 | out: hHeap=0x90000) returned 1 [0135.263] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xbbec0 | out: hHeap=0x90000) returned 1 [0135.264] HeapFree (in: hHeap=0x90000, dwFlags=0x0, lpMem=0xc5b30 | out: hHeap=0x90000) returned 1 Thread: id = 179 os_tid = 0x158 Thread: id = 180 os_tid = 0x620 [0133.146] GetLastError () returned 0x57 [0133.146] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x78) returned 0xbbfc0 [0133.146] SetLastError (dwErrCode=0x57) [0133.159] GetLastError () returned 0x57 [0133.206] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x3c8) returned 0xe0cc0 [0133.233] SetLastError (dwErrCode=0x57) Thread: id = 181 os_tid = 0x7a4 [0133.537] GetLastError () returned 0x57 [0133.537] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x78) returned 0xbc040 [0133.537] SetLastError (dwErrCode=0x57) [0133.537] GetLastError () returned 0x57 [0133.538] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x3c8) returned 0xf2f40 [0133.538] SetLastError (dwErrCode=0x57) Thread: id = 182 os_tid = 0x600 [0133.539] GetLastError () returned 0x57 [0133.539] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x78) returned 0xbc0c0 [0133.539] SetLastError (dwErrCode=0x57) [0133.539] GetLastError () returned 0x57 [0133.539] RtlAllocateHeap (HeapHandle=0x90000, Flags=0x8, Size=0x3c8) returned 0xf6ba0 [0133.539] SetLastError (dwErrCode=0x57) Process: id = "36" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x3b949000" os_pid = "0xfb8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"explorer.exe\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2522 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2523 start_va = 0x30000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2524 start_va = 0x130000 end_va = 0x133fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 2525 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 2526 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2527 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2528 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2529 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 2530 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2531 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2532 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2533 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2534 start_va = 0x150000 end_va = 0x27ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2535 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2536 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2537 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2538 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2539 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2540 start_va = 0x280000 end_va = 0x2e6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2541 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2542 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2543 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2544 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2545 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2546 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2547 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2548 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2549 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2550 start_va = 0x2f0000 end_va = 0x33ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 2551 start_va = 0x340000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 2552 start_va = 0x150000 end_va = 0x178fff monitored = 0 entry_point = 0x151010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2553 start_va = 0x180000 end_va = 0x27ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 2554 start_va = 0x440000 end_va = 0x5c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 2555 start_va = 0x150000 end_va = 0x178fff monitored = 0 entry_point = 0x151010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2556 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2557 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2558 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2559 start_va = 0x150000 end_va = 0x150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2560 start_va = 0x5d0000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 2561 start_va = 0x760000 end_va = 0x1b5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 2563 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 2564 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 2565 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 2566 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 2567 start_va = 0x2f0000 end_va = 0x2f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 2568 start_va = 0x330000 end_va = 0x33ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Thread: id = 150 os_tid = 0xfac [0105.349] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fe18 | out: lpSystemTimeAsFileTime=0x12fe18*(dwLowDateTime=0x34010560, dwHighDateTime=0x1d937fd)) [0105.349] GetCurrentThreadId () returned 0xfac [0105.349] GetCurrentProcessId () returned 0xfb8 [0105.349] QueryPerformanceCounter (in: lpPerformanceCount=0x12fe20 | out: lpPerformanceCount=0x12fe20*=3323963218799) returned 1 [0105.350] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0105.354] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0105.354] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0105.355] GetLastError () returned 0x7e [0105.355] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0105.355] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0105.355] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0105.356] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0105.356] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0105.356] GetProcessHeap () returned 0x180000 [0105.356] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0105.356] GetLastError () returned 0x7e [0105.357] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0105.357] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0105.357] GetLastError () returned 0x7e [0105.357] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0105.357] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0105.357] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x3c8) returned 0x19cfb0 [0105.357] SetLastError (dwErrCode=0x7e) [0105.357] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x1200) returned 0x19d380 [0105.359] GetStartupInfoW (in: lpStartupInfo=0x12fcf0 | out: lpStartupInfo=0x12fcf0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x12fd78, hStdError=0x1)) [0105.359] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0105.359] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0105.359] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0105.360] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"explorer.exe\"" [0105.360] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"explorer.exe\"" [0105.360] GetACP () returned 0x4e4 [0105.360] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x0, Size=0x228) returned 0x19ab90 [0105.360] IsValidCodePage (CodePage=0x4e4) returned 1 [0105.360] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12fcb0 | out: lpCPInfo=0x12fcb0) returned 1 [0105.360] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12f550 | out: lpCPInfo=0x12f550) returned 1 [0105.360] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12f570, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0105.360] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12f570, cbMultiByte=256, lpWideCharStr=0x12f2a0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0105.360] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x12f870 | out: lpCharType=0x12f870) returned 1 [0105.360] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12f570, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0105.360] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12f570, cbMultiByte=256, lpWideCharStr=0x12f240, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0105.360] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0105.361] GetLastError () returned 0x7e [0105.361] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0105.361] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0105.361] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x12f030, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0105.361] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x12f670, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«\x19", lpUsedDefaultChar=0x0) returned 256 [0105.361] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12f570, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0105.361] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x12f570, cbMultiByte=256, lpWideCharStr=0x12f240, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0105.361] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0105.362] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x12f030, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0105.362] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x12f770, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0105.362] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x0, Size=0x100) returned 0x19f590 [0105.362] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0105.362] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x194) returned 0x19f6a0 [0105.362] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0105.362] GetLastError () returned 0x0 [0105.362] SetLastError (dwErrCode=0x0) [0105.362] GetEnvironmentStringsW () returned 0x19f840* [0105.362] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x0, Size=0xb32) returned 0x1a0380 [0105.362] FreeEnvironmentStringsW (penv=0x19f840) returned 1 [0105.362] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x128) returned 0x19f840 [0105.362] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x3e) returned 0x19afe0 [0105.362] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x56) returned 0x19adc0 [0105.362] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x62) returned 0x1a0ec0 [0105.362] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x78) returned 0x1a0f30 [0105.362] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x62) returned 0x19f970 [0105.362] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x30) returned 0x19e900 [0105.362] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x48) returned 0x19b030 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x28) returned 0x1979a0 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x1a) returned 0x1979d0 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x34) returned 0x19e940 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x5c) returned 0x19f9e0 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x32) returned 0x19e980 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x2e) returned 0x19e9c0 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x1c) returned 0x197a00 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x19c) returned 0x19fa50 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x7c) returned 0x19fc00 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x3a) returned 0x19b080 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x90) returned 0x19fc90 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x24) returned 0x197a30 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x30) returned 0x19ea00 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x36) returned 0x19ea40 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x3c) returned 0x19b0d0 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x52) returned 0x19fd30 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x3c) returned 0x19b120 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0xd6) returned 0x19fd90 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x2e) returned 0x19ea80 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x1e) returned 0x197a60 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x2c) returned 0x19eac0 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x54) returned 0x19fe70 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x52) returned 0x19fed0 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x2c) returned 0x19eb00 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x26) returned 0x197a90 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x3e) returned 0x19b170 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x24) returned 0x197ac0 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x30) returned 0x19eb40 [0105.363] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x8c) returned 0x19ff30 [0105.364] HeapFree (in: hHeap=0x180000, dwFlags=0x0, lpMem=0x1a0380 | out: hHeap=0x180000) returned 1 [0105.364] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x8, Size=0x1000) returned 0x1a0fb0 [0105.364] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0105.365] GetStartupInfoW (in: lpStartupInfo=0x12fd80 | out: lpStartupInfo=0x12fd80*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0105.365] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"explorer.exe\"" [0105.365] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"explorer.exe\"", pNumArgs=0x12fd50 | out: pNumArgs=0x12fd50) returned 0x1a0450*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0105.365] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0105.596] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x0, Size=0x1000) returned 0x1a40a0 [0105.597] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x0, Size=0x12) returned 0x1a0e80 [0105.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="FPH732n7", cchWideChar=-1, lpMultiByteStr=0x1a0e80, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FPH732n7", lpUsedDefaultChar=0x0) returned 9 [0105.597] GetLastError () returned 0x0 [0105.597] SetLastError (dwErrCode=0x0) [0105.597] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7W") returned 0x0 [0105.597] GetLastError () returned 0x7f [0105.597] SetLastError (dwErrCode=0x7f) [0105.598] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7A") returned 0x0 [0105.598] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7") returned 0x7fef2eb1cf0 [0105.598] RtlAllocateHeap (HeapHandle=0x180000, Flags=0x0, Size=0x1a) returned 0x197b50 [0105.620] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=-1, lpMultiByteStr=0x197b50, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exe", lpUsedDefaultChar=0x0) returned 13 [0105.622] GetActiveWindow () returned 0x0 [0106.252] GetLastError () returned 0x7f [0106.252] SetLastError (dwErrCode=0x7f) Process: id = "37" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x3be55000" os_pid = "0x7e0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"explorer.exe\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2570 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2571 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2572 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2573 start_va = 0x170000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2574 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2575 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2576 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2577 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 2578 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2579 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2580 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 2581 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 2582 start_va = 0x270000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 2583 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2584 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2585 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2586 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2587 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2588 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2589 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2590 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2591 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2592 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2593 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2594 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2595 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2596 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2597 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2598 start_va = 0xc0000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 2599 start_va = 0x270000 end_va = 0x36ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 2600 start_va = 0x410000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 2601 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2602 start_va = 0x130000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 2603 start_va = 0x510000 end_va = 0x697fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 2604 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2605 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2606 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2607 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2608 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 2609 start_va = 0x6a0000 end_va = 0x820fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 2610 start_va = 0x830000 end_va = 0x1c2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 2625 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 2626 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 2627 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2628 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2629 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3061 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 3062 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Thread: id = 153 os_tid = 0x958 [0107.632] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fd38 | out: lpSystemTimeAsFileTime=0x26fd38*(dwLowDateTime=0x35367820, dwHighDateTime=0x1d937fd)) [0107.632] GetCurrentThreadId () returned 0x958 [0107.632] GetCurrentProcessId () returned 0x7e0 [0107.632] QueryPerformanceCounter (in: lpPerformanceCount=0x26fd40 | out: lpPerformanceCount=0x26fd40*=3324191528323) returned 1 [0107.633] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0107.635] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0107.635] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0107.635] GetLastError () returned 0x7e [0107.635] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0107.635] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0107.636] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0107.636] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0107.636] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0107.637] GetProcessHeap () returned 0x410000 [0107.637] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0107.637] GetLastError () returned 0x7e [0107.637] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0107.637] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0107.637] GetLastError () returned 0x7e [0107.637] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0107.637] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0107.637] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x3c8) returned 0x42cfb0 [0107.638] SetLastError (dwErrCode=0x7e) [0107.638] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1200) returned 0x42d380 [0107.639] GetStartupInfoW (in: lpStartupInfo=0x26fc10 | out: lpStartupInfo=0x26fc10*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x26fc98, hStdError=0x1)) [0107.640] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0107.640] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0107.640] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0107.640] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"explorer.exe\"" [0107.640] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"explorer.exe\"" [0107.640] GetACP () returned 0x4e4 [0107.640] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x228) returned 0x42ab90 [0107.640] IsValidCodePage (CodePage=0x4e4) returned 1 [0107.640] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x26fbd0 | out: lpCPInfo=0x26fbd0) returned 1 [0107.640] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x26f470 | out: lpCPInfo=0x26f470) returned 1 [0107.640] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f490, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0107.640] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f490, cbMultiByte=256, lpWideCharStr=0x26f1c0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0107.640] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x26f790 | out: lpCharType=0x26f790) returned 1 [0107.640] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f490, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0107.640] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f490, cbMultiByte=256, lpWideCharStr=0x26f160, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0107.640] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0107.641] GetLastError () returned 0x7e [0107.641] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0107.641] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0107.641] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x26ef50, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0107.641] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x26f590, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«B", lpUsedDefaultChar=0x0) returned 256 [0107.641] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f490, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0107.641] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f490, cbMultiByte=256, lpWideCharStr=0x26f160, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0107.641] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0107.641] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x26ef50, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0107.641] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x26f690, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0107.641] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x100) returned 0x42f590 [0107.642] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0107.642] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x194) returned 0x42f6a0 [0107.642] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0107.642] GetLastError () returned 0x0 [0107.642] SetLastError (dwErrCode=0x0) [0107.642] GetEnvironmentStringsW () returned 0x42f840* [0107.642] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0xb32) returned 0x430380 [0107.642] FreeEnvironmentStringsW (penv=0x42f840) returned 1 [0107.642] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x128) returned 0x42f840 [0107.642] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x3e) returned 0x42afe0 [0107.642] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x56) returned 0x42adc0 [0107.642] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x62) returned 0x430ec0 [0107.642] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x78) returned 0x430f30 [0107.642] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x62) returned 0x42f970 [0107.642] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x42e900 [0107.642] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x48) returned 0x42b030 [0107.642] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x28) returned 0x4279a0 [0107.642] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1a) returned 0x4279d0 [0107.642] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x34) returned 0x42e940 [0107.642] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x5c) returned 0x42f9e0 [0107.642] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x32) returned 0x42e980 [0107.642] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x2e) returned 0x42e9c0 [0107.642] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1c) returned 0x427a00 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x19c) returned 0x42fa50 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x7c) returned 0x42fc00 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x3a) returned 0x42b080 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x90) returned 0x42fc90 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x24) returned 0x427a30 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x42ea00 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x36) returned 0x42ea40 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x3c) returned 0x42b0d0 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x52) returned 0x42fd30 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x3c) returned 0x42b120 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0xd6) returned 0x42fd90 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x2e) returned 0x42ea80 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1e) returned 0x427a60 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x2c) returned 0x42eac0 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x54) returned 0x42fe70 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x52) returned 0x42fed0 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x2c) returned 0x42eb00 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x26) returned 0x427a90 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x3e) returned 0x42b170 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x24) returned 0x427ac0 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x30) returned 0x42eb40 [0107.643] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x8c) returned 0x42ff30 [0107.644] HeapFree (in: hHeap=0x410000, dwFlags=0x0, lpMem=0x430380 | out: hHeap=0x410000) returned 1 [0107.644] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x8, Size=0x1000) returned 0x430fb0 [0107.644] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0107.644] GetStartupInfoW (in: lpStartupInfo=0x26fca0 | out: lpStartupInfo=0x26fca0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0107.644] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"explorer.exe\"" [0107.644] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"explorer.exe\"", pNumArgs=0x26fc70 | out: pNumArgs=0x26fc70) returned 0x430450*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0107.644] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0107.650] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1000) returned 0x4340a0 [0107.650] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x12) returned 0x430e80 [0107.650] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="KlXWgB9j", cchWideChar=-1, lpMultiByteStr=0x430e80, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="KlXWgB9j", lpUsedDefaultChar=0x0) returned 9 [0107.650] GetLastError () returned 0x0 [0107.651] SetLastError (dwErrCode=0x0) [0107.651] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9jW") returned 0x0 [0107.651] GetLastError () returned 0x7f [0107.651] SetLastError (dwErrCode=0x7f) [0107.651] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9jA") returned 0x0 [0107.651] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9j") returned 0x7fef2eb0010 [0107.651] RtlAllocateHeap (HeapHandle=0x410000, Flags=0x0, Size=0x1a) returned 0x427b50 [0107.651] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=-1, lpMultiByteStr=0x427b50, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exe", lpUsedDefaultChar=0x0) returned 13 [0107.651] GetActiveWindow () returned 0x0 [0107.751] GetLastError () returned 0x7f [0107.751] SetLastError (dwErrCode=0x7f) Process: id = "38" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x3a161000" os_pid = "0xdbc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"explorer.exe\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2633 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2634 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2635 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2636 start_va = 0x1d0000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2637 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2638 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2639 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2640 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 2641 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2642 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2643 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 2644 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2645 start_va = 0x50000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2646 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2647 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2648 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2649 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2650 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2651 start_va = 0x150000 end_va = 0x1b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2652 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2653 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2654 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2655 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2656 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2657 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2664 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2665 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2666 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2667 start_va = 0x2d0000 end_va = 0x3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 2668 start_va = 0x3c0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2669 start_va = 0x2d0000 end_va = 0x2f8fff monitored = 0 entry_point = 0x2d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2670 start_va = 0x3b0000 end_va = 0x3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 2671 start_va = 0x4c0000 end_va = 0x647fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 2672 start_va = 0x2d0000 end_va = 0x2f8fff monitored = 0 entry_point = 0x2d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2673 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2674 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2675 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2676 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2677 start_va = 0x650000 end_va = 0x7d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 2678 start_va = 0x7e0000 end_va = 0x1bdffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 2683 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 2684 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 2685 start_va = 0x2d0000 end_va = 0x2d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 2687 start_va = 0x2e0000 end_va = 0x2e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 2688 start_va = 0x2f0000 end_va = 0x2f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 3063 start_va = 0x2e0000 end_va = 0x2e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 3064 start_va = 0x2f0000 end_va = 0x2f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Thread: id = 157 os_tid = 0xdf8 [0110.151] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cfcd8 | out: lpSystemTimeAsFileTime=0x2cfcd8*(dwLowDateTime=0x36992500, dwHighDateTime=0x1d937fd)) [0110.151] GetCurrentThreadId () returned 0xdf8 [0110.151] GetCurrentProcessId () returned 0xdbc [0110.151] QueryPerformanceCounter (in: lpPerformanceCount=0x2cfce0 | out: lpPerformanceCount=0x2cfce0*=3324887396159) returned 1 [0110.152] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0110.154] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0110.154] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0110.155] GetLastError () returned 0x7e [0110.155] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0110.155] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0110.155] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0110.156] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0110.156] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0110.157] GetProcessHeap () returned 0x50000 [0110.157] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0110.157] GetLastError () returned 0x7e [0110.157] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0110.158] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0110.158] GetLastError () returned 0x7e [0110.158] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0110.158] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0110.158] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x3c8) returned 0x6cfb0 [0110.159] SetLastError (dwErrCode=0x7e) [0110.159] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x1200) returned 0x6d380 [0110.161] GetStartupInfoW (in: lpStartupInfo=0x2cfbb0 | out: lpStartupInfo=0x2cfbb0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x2cfc38, hStdError=0x1)) [0110.161] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0110.161] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0110.161] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0110.162] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"explorer.exe\"" [0110.162] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"explorer.exe\"" [0110.162] GetACP () returned 0x4e4 [0110.162] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x0, Size=0x228) returned 0x6ab90 [0110.162] IsValidCodePage (CodePage=0x4e4) returned 1 [0110.162] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2cfb70 | out: lpCPInfo=0x2cfb70) returned 1 [0110.162] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2cf410 | out: lpCPInfo=0x2cf410) returned 1 [0110.162] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf430, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0110.162] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf430, cbMultiByte=256, lpWideCharStr=0x2cf160, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0110.162] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x2cf730 | out: lpCharType=0x2cf730) returned 1 [0110.163] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf430, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0110.163] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf430, cbMultiByte=256, lpWideCharStr=0x2cf100, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0110.163] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0110.163] GetLastError () returned 0x7e [0110.163] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0110.163] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0110.164] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2ceef0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0110.164] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x2cf530, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«\x06", lpUsedDefaultChar=0x0) returned 256 [0110.164] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf430, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0110.164] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2cf430, cbMultiByte=256, lpWideCharStr=0x2cf100, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0110.164] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0110.164] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2ceef0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0110.164] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x2cf630, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0110.164] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x0, Size=0x100) returned 0x6f590 [0110.164] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0110.164] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x192) returned 0x6f6a0 [0110.164] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0110.164] GetLastError () returned 0x0 [0110.164] SetLastError (dwErrCode=0x0) [0110.164] GetEnvironmentStringsW () returned 0x6f840* [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x0, Size=0xb32) returned 0x70380 [0110.165] FreeEnvironmentStringsW (penv=0x6f840) returned 1 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x128) returned 0x6f840 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x3e) returned 0x6afe0 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x56) returned 0x6adc0 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x62) returned 0x70ec0 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x78) returned 0x70f30 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x62) returned 0x6f970 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x30) returned 0x6e900 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x48) returned 0x6b030 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x28) returned 0x679a0 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x1a) returned 0x679d0 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x34) returned 0x6e940 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x5c) returned 0x6f9e0 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x32) returned 0x6e980 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x2e) returned 0x6e9c0 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x1c) returned 0x67a00 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x19c) returned 0x6fa50 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x7c) returned 0x6fc00 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x3a) returned 0x6b080 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x90) returned 0x6fc90 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x24) returned 0x67a30 [0110.165] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x30) returned 0x6ea00 [0110.166] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x36) returned 0x6ea40 [0110.166] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x3c) returned 0x6b0d0 [0110.166] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x52) returned 0x6fd30 [0110.166] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x3c) returned 0x6b120 [0110.166] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0xd6) returned 0x6fd90 [0110.166] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x2e) returned 0x6ea80 [0110.166] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x1e) returned 0x67a60 [0110.166] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x2c) returned 0x6eac0 [0110.166] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x54) returned 0x6fe70 [0110.166] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x52) returned 0x6fed0 [0110.166] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x2c) returned 0x6eb00 [0110.166] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x26) returned 0x67a90 [0110.166] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x3e) returned 0x6b170 [0110.166] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x24) returned 0x67ac0 [0110.166] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x30) returned 0x6eb40 [0110.166] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x8c) returned 0x6ff30 [0110.167] HeapFree (in: hHeap=0x50000, dwFlags=0x0, lpMem=0x70380 | out: hHeap=0x50000) returned 1 [0110.167] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x8, Size=0x1000) returned 0x70fb0 [0110.168] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0110.168] GetStartupInfoW (in: lpStartupInfo=0x2cfc40 | out: lpStartupInfo=0x2cfc40*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0110.168] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"explorer.exe\"" [0110.168] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"explorer.exe\"", pNumArgs=0x2cfc10 | out: pNumArgs=0x2cfc10) returned 0x70450*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0110.168] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0110.173] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x0, Size=0x1000) returned 0x740a0 [0110.174] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x0, Size=0x10) returned 0x70e80 [0110.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="LKKIJ77", cchWideChar=-1, lpMultiByteStr=0x70e80, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LKKIJ77", lpUsedDefaultChar=0x0) returned 8 [0110.174] GetLastError () returned 0x0 [0110.174] SetLastError (dwErrCode=0x0) [0110.174] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77W") returned 0x0 [0110.174] GetLastError () returned 0x7f [0110.174] SetLastError (dwErrCode=0x7f) [0110.174] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77A") returned 0x0 [0110.175] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77") returned 0x7fef2ea6420 [0110.175] RtlAllocateHeap (HeapHandle=0x50000, Flags=0x0, Size=0x1a) returned 0x67b50 [0110.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=-1, lpMultiByteStr=0x67b50, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exe", lpUsedDefaultChar=0x0) returned 13 [0110.175] GetActiveWindow () returned 0x0 [0110.323] GetLastError () returned 0x7f [0110.323] SetLastError (dwErrCode=0x7f) Process: id = "39" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x39a6d000" os_pid = "0xe9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"explorer.exe\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2713 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2714 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2715 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2716 start_va = 0x70000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 2717 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2718 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2719 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2720 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 2721 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2722 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2723 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2724 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2725 start_va = 0x170000 end_va = 0x2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2726 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2727 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2728 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2729 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2730 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2731 start_va = 0x170000 end_va = 0x1d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2732 start_va = 0x1e0000 end_va = 0x2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 2733 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2734 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2735 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2736 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2737 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2738 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2739 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2740 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2741 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2742 start_va = 0x2e0000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 2743 start_va = 0x2e0000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 2744 start_va = 0x430000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 2745 start_va = 0x3e0000 end_va = 0x408fff monitored = 0 entry_point = 0x3e1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2746 start_va = 0x440000 end_va = 0x5c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 2747 start_va = 0x3e0000 end_va = 0x408fff monitored = 0 entry_point = 0x3e1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2748 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2749 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2750 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2751 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2752 start_va = 0x5d0000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 2753 start_va = 0x760000 end_va = 0x1b5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 2754 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 2755 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 2757 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2758 start_va = 0x3e0000 end_va = 0x3e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 2759 start_va = 0x3f0000 end_va = 0x3f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Thread: id = 161 os_tid = 0xe50 [0117.326] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fdd8 | out: lpSystemTimeAsFileTime=0x16fdd8*(dwLowDateTime=0x3a53ac60, dwHighDateTime=0x1d937fd)) [0117.326] GetCurrentThreadId () returned 0xe50 [0117.326] GetCurrentProcessId () returned 0xe9c [0117.326] QueryPerformanceCounter (in: lpPerformanceCount=0x16fde0 | out: lpPerformanceCount=0x16fde0*=3325875133104) returned 1 [0117.327] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0117.331] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0117.331] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0117.331] GetLastError () returned 0x7e [0117.331] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0117.332] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0117.332] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0117.333] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0117.333] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0117.334] GetProcessHeap () returned 0x1e0000 [0117.334] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0117.334] GetLastError () returned 0x7e [0117.334] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0117.334] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0117.334] GetLastError () returned 0x7e [0117.334] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0117.334] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0117.334] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x3c8) returned 0x1fcfb0 [0117.335] SetLastError (dwErrCode=0x7e) [0117.335] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x1200) returned 0x1fd380 [0117.337] GetStartupInfoW (in: lpStartupInfo=0x16fcb0 | out: lpStartupInfo=0x16fcb0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x16fd38, hStdError=0x1)) [0117.337] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0117.337] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0117.337] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0117.337] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"explorer.exe\"" [0117.337] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"explorer.exe\"" [0117.337] GetACP () returned 0x4e4 [0117.338] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x228) returned 0x1fab90 [0117.338] IsValidCodePage (CodePage=0x4e4) returned 1 [0117.338] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x16fc70 | out: lpCPInfo=0x16fc70) returned 1 [0117.338] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x16f510 | out: lpCPInfo=0x16f510) returned 1 [0117.338] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f530, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0117.338] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f530, cbMultiByte=256, lpWideCharStr=0x16f260, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0117.338] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x16f830 | out: lpCharType=0x16f830) returned 1 [0117.338] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f530, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0117.338] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f530, cbMultiByte=256, lpWideCharStr=0x16f200, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0117.338] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0117.338] GetLastError () returned 0x7e [0117.338] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0117.339] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0117.339] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x16eff0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0117.339] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x16f630, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«\x1f", lpUsedDefaultChar=0x0) returned 256 [0117.339] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f530, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0117.339] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f530, cbMultiByte=256, lpWideCharStr=0x16f200, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0117.339] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0117.339] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x16eff0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0117.339] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x16f730, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0117.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x100) returned 0x1ff590 [0117.340] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0117.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x198) returned 0x1ff6a0 [0117.340] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0117.340] GetLastError () returned 0x0 [0117.340] SetLastError (dwErrCode=0x0) [0117.340] GetEnvironmentStringsW () returned 0x1ff840* [0117.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0xb32) returned 0x200380 [0117.340] FreeEnvironmentStringsW (penv=0x1ff840) returned 1 [0117.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x128) returned 0x1ff840 [0117.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x3e) returned 0x1fafe0 [0117.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x56) returned 0x1fadc0 [0117.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x62) returned 0x200ec0 [0117.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x78) returned 0x200f30 [0117.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x62) returned 0x1ff970 [0117.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x30) returned 0x1fe900 [0117.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x48) returned 0x1fb030 [0117.340] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x28) returned 0x1f79a0 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x1a) returned 0x1f79d0 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x34) returned 0x1fe940 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x5c) returned 0x1ff9e0 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x32) returned 0x1fe980 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x2e) returned 0x1fe9c0 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x1c) returned 0x1f7a00 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x19c) returned 0x1ffa50 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x7c) returned 0x1ffc00 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x3a) returned 0x1fb080 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x90) returned 0x1ffc90 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x24) returned 0x1f7a30 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x30) returned 0x1fea00 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x36) returned 0x1fea40 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x3c) returned 0x1fb0d0 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x52) returned 0x1ffd30 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x3c) returned 0x1fb120 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0xd6) returned 0x1ffd90 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x2e) returned 0x1fea80 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x1e) returned 0x1f7a60 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x2c) returned 0x1feac0 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x54) returned 0x1ffe70 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x52) returned 0x1ffed0 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x2c) returned 0x1feb00 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x26) returned 0x1f7a90 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x3e) returned 0x1fb170 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x24) returned 0x1f7ac0 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x30) returned 0x1feb40 [0117.341] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x8c) returned 0x1fff30 [0117.342] HeapFree (in: hHeap=0x1e0000, dwFlags=0x0, lpMem=0x200380 | out: hHeap=0x1e0000) returned 1 [0117.342] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x8, Size=0x1000) returned 0x200fb0 [0117.349] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0117.350] GetStartupInfoW (in: lpStartupInfo=0x16fd40 | out: lpStartupInfo=0x16fd40*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0117.350] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"explorer.exe\"" [0117.350] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"explorer.exe\"", pNumArgs=0x16fd10 | out: pNumArgs=0x16fd10) returned 0x200450*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0117.350] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0117.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1000) returned 0x2040a0 [0117.651] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x16) returned 0x200e80 [0117.651] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="MMlFUh3Tzt", cchWideChar=-1, lpMultiByteStr=0x200e80, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MMlFUh3Tzt", lpUsedDefaultChar=0x0) returned 11 [0117.651] GetLastError () returned 0x0 [0117.651] SetLastError (dwErrCode=0x0) [0117.652] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3TztW") returned 0x0 [0117.652] GetLastError () returned 0x7f [0117.652] SetLastError (dwErrCode=0x7f) [0117.652] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3TztA") returned 0x0 [0117.652] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3Tzt") returned 0x7fef2eb0cf0 [0117.652] RtlAllocateHeap (HeapHandle=0x1e0000, Flags=0x0, Size=0x1a) returned 0x1f7b50 [0117.652] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=-1, lpMultiByteStr=0x1f7b50, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exe", lpUsedDefaultChar=0x0) returned 13 [0117.652] GetActiveWindow () returned 0x0 [0117.973] GetLastError () returned 0x7f [0117.973] SetLastError (dwErrCode=0x7f) Process: id = "40" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x39b79000" os_pid = "0xee0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"iexplore.exe\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2785 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2786 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2787 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2788 start_va = 0xd0000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2789 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2790 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2791 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2792 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 2793 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2794 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2795 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 2796 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2804 start_va = 0x1d0000 end_va = 0x37ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2805 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2806 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2807 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2808 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2809 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2810 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2811 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2812 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2813 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2814 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2815 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2816 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2817 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2818 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2819 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2820 start_va = 0x380000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 2821 start_va = 0x380000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 2822 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 2829 start_va = 0x1d0000 end_va = 0x1f8fff monitored = 0 entry_point = 0x1d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2830 start_va = 0x280000 end_va = 0x37ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 2831 start_va = 0x580000 end_va = 0x707fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 2832 start_va = 0x1d0000 end_va = 0x1f8fff monitored = 0 entry_point = 0x1d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2833 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2834 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2835 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2836 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 2837 start_va = 0x710000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 2838 start_va = 0x8a0000 end_va = 0x1c9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 2839 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 2840 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 2841 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2962 start_va = 0x1e0000 end_va = 0x25dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 2965 start_va = 0x1ca0000 end_va = 0x1df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ca0000" filename = "" Region: id = 2966 start_va = 0x1e00000 end_va = 0x1f60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e00000" filename = "" Region: id = 2967 start_va = 0x7fefd2c0000 end_va = 0x7fefd42cfff monitored = 0 entry_point = 0x7fefd2c10b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2968 start_va = 0x7fefd270000 end_va = 0x7fefd27efff monitored = 0 entry_point = 0x7fefd271020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2969 start_va = 0x7fefd060000 end_va = 0x7fefd06afff monitored = 0 entry_point = 0x7fefd061030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2970 start_va = 0x7fefd090000 end_va = 0x7fefd0b4fff monitored = 0 entry_point = 0x7fefd099658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2971 start_va = 0x7feff060000 end_va = 0x7feff13afff monitored = 0 entry_point = 0x7feff080760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2972 start_va = 0x7feff1e0000 end_va = 0x7feff1fefff monitored = 0 entry_point = 0x7feff1e60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2973 start_va = 0x7feff2d0000 end_va = 0x7feff3a6fff monitored = 0 entry_point = 0x7feff2d3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2974 start_va = 0x7fefabb0000 end_va = 0x7fefabc7fff monitored = 0 entry_point = 0x7fefabb1010 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 3002 start_va = 0x7fefacc0000 end_va = 0x7feface6fff monitored = 0 entry_point = 0x7fefacc98bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 3003 start_va = 0x7fefed70000 end_va = 0x7fefed77fff monitored = 0 entry_point = 0x7fefed71504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3004 start_va = 0x7fefacb0000 end_va = 0x7fefacbafff monitored = 0 entry_point = 0x7fefacb1198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 3005 start_va = 0x7fefb550000 end_va = 0x7fefb560fff monitored = 0 entry_point = 0x7fefb551070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3006 start_va = 0x7feff280000 end_va = 0x7feff2ccfff monitored = 0 entry_point = 0x7feff281070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3007 start_va = 0x1f70000 end_va = 0x216ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 3016 start_va = 0x2170000 end_va = 0x243efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3017 start_va = 0x2590000 end_va = 0x268ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002590000" filename = "" Region: id = 3018 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 3019 start_va = 0x480000 end_va = 0x4fcfff monitored = 0 entry_point = 0x48cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3020 start_va = 0x480000 end_va = 0x4fcfff monitored = 0 entry_point = 0x48cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3021 start_va = 0x7fefd0c0000 end_va = 0x7fefd0cefff monitored = 0 entry_point = 0x7fefd0c1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3065 start_va = 0x1ff0000 end_va = 0x20effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ff0000" filename = "" Region: id = 3066 start_va = 0x20f0000 end_va = 0x216ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 3067 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 3068 start_va = 0x260000 end_va = 0x260fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 3069 start_va = 0x7feff140000 end_va = 0x7feff1d8fff monitored = 0 entry_point = 0x7feff141c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3070 start_va = 0x270000 end_va = 0x270fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 3071 start_va = 0x7fef9520000 end_va = 0x7fef952dfff monitored = 0 entry_point = 0x7fef9525500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 3072 start_va = 0x7fef97c0000 end_va = 0x7fef9836fff monitored = 0 entry_point = 0x7fef97fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 3073 start_va = 0x7fefcc30000 end_va = 0x7fefcc51fff monitored = 0 entry_point = 0x7fefcc35d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 3074 start_va = 0x2480000 end_va = 0x257ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002480000" filename = "" Region: id = 3075 start_va = 0x7fefcac0000 end_va = 0x7fefcad7fff monitored = 0 entry_point = 0x7fefcac3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3076 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 3077 start_va = 0x480000 end_va = 0x4c4fff monitored = 0 entry_point = 0x481064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3078 start_va = 0x480000 end_va = 0x4c4fff monitored = 0 entry_point = 0x481064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3079 start_va = 0x480000 end_va = 0x4c4fff monitored = 0 entry_point = 0x481064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3080 start_va = 0x480000 end_va = 0x4c4fff monitored = 0 entry_point = 0x481064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3081 start_va = 0x480000 end_va = 0x4c4fff monitored = 0 entry_point = 0x481064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3082 start_va = 0x7fefc7c0000 end_va = 0x7fefc806fff monitored = 0 entry_point = 0x7fefc7c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3083 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c3fff monitored = 0 entry_point = 0x7fefd1b10e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3084 start_va = 0x27d0000 end_va = 0x28cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 3085 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 3086 start_va = 0x26b0000 end_va = 0x27affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026b0000" filename = "" Region: id = 3087 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 3093 start_va = 0x7fef9240000 end_va = 0x7fef9252fff monitored = 0 entry_point = 0x7fef9241d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 3094 start_va = 0x7fef9560000 end_va = 0x7fef9632fff monitored = 0 entry_point = 0x7fef95d8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 3095 start_va = 0x7fef9530000 end_va = 0x7fef9556fff monitored = 0 entry_point = 0x7fef95311a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 3096 start_va = 0x480000 end_va = 0x482fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Thread: id = 167 os_tid = 0xed0 [0122.795] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfc58 | out: lpSystemTimeAsFileTime=0x1cfc58*(dwLowDateTime=0x3d4fc5c0, dwHighDateTime=0x1d937fd)) [0122.795] GetCurrentThreadId () returned 0xed0 [0122.795] GetCurrentProcessId () returned 0xee0 [0122.795] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfc60 | out: lpPerformanceCount=0x1cfc60*=3327255959305) returned 1 [0122.796] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0122.799] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0122.799] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0122.800] GetLastError () returned 0x7e [0122.800] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0122.800] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0122.800] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0122.801] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0122.801] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0122.802] GetProcessHeap () returned 0x280000 [0122.802] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0122.802] GetLastError () returned 0x7e [0122.802] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0122.802] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0122.802] GetLastError () returned 0x7e [0122.802] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0122.802] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0122.802] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x3c8) returned 0x29cfb0 [0122.803] SetLastError (dwErrCode=0x7e) [0122.803] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1200) returned 0x29d380 [0122.806] GetStartupInfoW (in: lpStartupInfo=0x1cfb30 | out: lpStartupInfo=0x1cfb30*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x1cfbb8, hStdError=0x1)) [0122.806] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0122.806] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0122.806] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0122.806] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"iexplore.exe\"" [0122.806] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"iexplore.exe\"" [0122.807] GetACP () returned 0x4e4 [0122.807] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x228) returned 0x29ab90 [0122.807] IsValidCodePage (CodePage=0x4e4) returned 1 [0122.807] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1cfaf0 | out: lpCPInfo=0x1cfaf0) returned 1 [0122.807] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1cf390 | out: lpCPInfo=0x1cf390) returned 1 [0122.807] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf3b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0122.807] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf3b0, cbMultiByte=256, lpWideCharStr=0x1cf0e0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0122.807] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x1cf6b0 | out: lpCharType=0x1cf6b0) returned 1 [0122.807] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf3b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0122.807] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf3b0, cbMultiByte=256, lpWideCharStr=0x1cf080, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0122.807] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0122.808] GetLastError () returned 0x7e [0122.808] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0122.808] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0122.808] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1cee70, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0122.809] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x1cf4b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«)", lpUsedDefaultChar=0x0) returned 256 [0122.809] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf3b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0122.809] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf3b0, cbMultiByte=256, lpWideCharStr=0x1cf080, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0122.809] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0122.809] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1cee70, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0122.809] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x1cf5b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0122.809] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x100) returned 0x29f590 [0122.809] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0122.809] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x198) returned 0x29f6a0 [0122.809] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0122.809] GetLastError () returned 0x0 [0122.809] SetLastError (dwErrCode=0x0) [0122.809] GetEnvironmentStringsW () returned 0x29f840* [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0xb32) returned 0x2a0380 [0122.810] FreeEnvironmentStringsW (penv=0x29f840) returned 1 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x128) returned 0x29f840 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x3e) returned 0x29afe0 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x56) returned 0x29adc0 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x62) returned 0x2a0ec0 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x78) returned 0x2a0f30 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x62) returned 0x29f970 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x30) returned 0x29e900 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x48) returned 0x29b030 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x28) returned 0x2979a0 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1a) returned 0x2979d0 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x34) returned 0x29e940 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x5c) returned 0x29f9e0 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x32) returned 0x29e980 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x2e) returned 0x29e9c0 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1c) returned 0x297a00 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x19c) returned 0x29fa50 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x7c) returned 0x29fc00 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x3a) returned 0x29b080 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x90) returned 0x29fc90 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x24) returned 0x297a30 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x30) returned 0x29ea00 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x36) returned 0x29ea40 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x3c) returned 0x29b0d0 [0122.810] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x52) returned 0x29fd30 [0122.811] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x3c) returned 0x29b120 [0122.811] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xd6) returned 0x29fd90 [0122.811] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x2e) returned 0x29ea80 [0122.811] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1e) returned 0x297a60 [0122.811] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x2c) returned 0x29eac0 [0122.811] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x54) returned 0x29fe70 [0122.811] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x52) returned 0x29fed0 [0122.811] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x2c) returned 0x29eb00 [0122.811] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x26) returned 0x297a90 [0122.811] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x3e) returned 0x29b170 [0122.811] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x24) returned 0x297ac0 [0122.811] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x30) returned 0x29eb40 [0122.811] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x8c) returned 0x29ff30 [0122.811] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a0380 | out: hHeap=0x280000) returned 1 [0122.811] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1000) returned 0x2a0fb0 [0122.812] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0122.812] GetStartupInfoW (in: lpStartupInfo=0x1cfbc0 | out: lpStartupInfo=0x1cfbc0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0122.812] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"iexplore.exe\"" [0122.812] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"iexplore.exe\"", pNumArgs=0x1cfb90 | out: pNumArgs=0x1cfb90) returned 0x2a0450*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0122.812] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0122.898] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x1000) returned 0x2a40a0 [0122.898] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x16) returned 0x2a0e80 [0122.898] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Cpurthnvlc", cchWideChar=-1, lpMultiByteStr=0x2a0e80, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Cpurthnvlc", lpUsedDefaultChar=0x0) returned 11 [0122.898] GetLastError () returned 0x0 [0122.898] SetLastError (dwErrCode=0x0) [0122.898] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="CpurthnvlcW") returned 0x0 [0122.898] GetLastError () returned 0x7f [0122.898] SetLastError (dwErrCode=0x7f) [0122.898] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="CpurthnvlcA") returned 0x0 [0122.899] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="Cpurthnvlc") returned 0x7fef2ea5970 [0122.899] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x1a) returned 0x297b50 [0122.899] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iexplore.exe", cchWideChar=-1, lpMultiByteStr=0x297b50, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iexplore.exe", lpUsedDefaultChar=0x0) returned 13 [0122.899] GetActiveWindow () returned 0x0 [0134.202] VirtualAlloc (lpAddress=0x0, dwSize=0x7e000, flAllocationType=0x3000, flProtect=0x40) returned 0x1e0000 [0134.409] GetProcAddress (hModule=0x77160000, lpProcName="ExitProcess") returned 0x772a40f0 [0134.409] GetProcAddress (hModule=0x77160000, lpProcName="LoadLibraryW") returned 0x77176420 [0134.409] LoadLibraryW (lpLibFileName="ntdll.dll") returned 0x77280000 [0134.410] GetProcAddress (hModule=0x77280000, lpProcName="NtMapViewOfSection") returned 0x772d1590 [0134.410] GetProcAddress (hModule=0x77280000, lpProcName="NtOpenFile") returned 0x772d1640 [0134.410] GetProcAddress (hModule=0x77280000, lpProcName="NtOpenSection") returned 0x772d1680 [0134.410] GetProcAddress (hModule=0x77280000, lpProcName="NtCreateSection") returned 0x772d17b0 [0134.410] GetProcAddress (hModule=0x77160000, lpProcName="VirtualProtect") returned 0x771629f0 [0134.411] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentThreadId") returned 0x77173380 [0134.411] GetProcAddress (hModule=0x77160000, lpProcName="GetModuleFileNameA") returned 0x77175940 [0134.411] GetProcAddress (hModule=0x77160000, lpProcName="VirtualAlloc") returned 0x77175c40 [0134.411] GetProcAddress (hModule=0x77160000, lpProcName="GetProcessHeap") returned 0x77181a30 [0134.411] GetProcAddress (hModule=0x77160000, lpProcName="HeapAlloc") returned 0x772d33a0 [0134.411] GetProcAddress (hModule=0x77160000, lpProcName="HeapFree") returned 0x77181a50 [0134.411] GetModuleFileNameA (in: hModule=0x7fef2ea0000, lpFilename=0x1cf890, nSize=0x104 | out: lpFilename="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll")) returned 0x62 [0134.412] VirtualAlloc (lpAddress=0x0, dwSize=0x158000, flAllocationType=0x3000, flProtect=0x4) returned 0x1ca0000 [0134.497] GetProcessHeap () returned 0x280000 [0134.497] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x3f80) returned 0x2a50b0 [0134.687] GetProcessHeap () returned 0x280000 [0134.688] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a50b0 | out: hHeap=0x280000) returned 1 [0134.688] GetCurrentThreadId () returned 0xed0 [0134.688] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1cf754 | out: lpflOldProtect=0x1cf754*=0x20) returned 1 [0134.689] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1cf754 | out: lpflOldProtect=0x1cf754*=0x40) returned 1 [0134.689] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1cf754 | out: lpflOldProtect=0x1cf754*=0x20) returned 1 [0134.689] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1cf754 | out: lpflOldProtect=0x1cf754*=0x40) returned 1 [0134.689] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1cf754 | out: lpflOldProtect=0x1cf754*=0x20) returned 1 [0134.690] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1cf754 | out: lpflOldProtect=0x1cf754*=0x40) returned 1 [0134.690] LoadLibraryW (lpLibFileName="gdiplus.dll") returned 0x1e00000 [0134.691] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ce5c4 | out: lpflOldProtect=0x1ce5c4*=0x20) returned 1 [0134.691] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ce5c4 | out: lpflOldProtect=0x1ce5c4*=0x40) returned 1 [0134.692] NtOpenFile (in: FileHandle=0x1ce6a8, DesiredAccess=0x100020, ObjectAttributes=0x1ce6f8*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1ce728, ShareAccess=0x3, OpenOptions=0x21 | out: FileHandle=0x1ce6a8*=0x70, IoStatusBlock=0x1ce728*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0134.924] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1ce5c4 | out: lpflOldProtect=0x1ce5c4*=0x20) returned 1 [0134.924] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1ce5c4 | out: lpflOldProtect=0x1ce5c4*=0x40) returned 1 [0134.925] GetCurrentThreadId () returned 0xed0 [0134.925] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1cf294 | out: lpflOldProtect=0x1cf294*=0x20) returned 1 [0134.925] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1cf294 | out: lpflOldProtect=0x1cf294*=0x40) returned 1 [0134.925] NtOpenFile (in: FileHandle=0x1cf360, DesiredAccess=0x100021, ObjectAttributes=0x1cf418*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1cf448, ShareAccess=0x5, OpenOptions=0x60 | out: FileHandle=0x1cf360*=0x74, IoStatusBlock=0x1cf448*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0134.926] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1cf284 | out: lpflOldProtect=0x1cf284*=0x20) returned 1 [0134.926] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1cf284 | out: lpflOldProtect=0x1cf284*=0x40) returned 1 [0134.926] GetCurrentThreadId () returned 0xed0 [0134.926] NtCreateSection (in: SectionHandle=0x1cf368, DesiredAccess=0xf, ObjectAttributes=0x0, MaximumSize=0x0, SectionPageProtection=0x10, AllocationAttributes=0x1000000, FileHandle=0x74 | out: SectionHandle=0x1cf368*=0x78) returned 0x0 [0134.927] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x1cf114 | out: lpflOldProtect=0x1cf114*=0x20) returned 1 [0134.927] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x1cf114 | out: lpflOldProtect=0x1cf114*=0x40) returned 1 [0134.927] GetCurrentThreadId () returned 0xed0 [0134.927] NtCreateSection (in: SectionHandle=0x1cf1f8, DesiredAccess=0xe, ObjectAttributes=0x0, MaximumSize=0x1cf1f0, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x1cf1f8*=0x7c) returned 0x0 [0134.928] NtMapViewOfSection (in: SectionHandle=0x7c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x1cf198*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x1cf3b8*=0x0, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x1cf198*=0x1e00000, SectionOffset=0x0, ViewSize=0x1cf3b8*=0x161000) returned 0x0 [0135.322] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf298 | out: lpSystemTimeAsFileTime=0x1cf298*(dwLowDateTime=0x420c6370, dwHighDateTime=0x1d937fd)) [0135.322] GetCurrentThreadId () returned 0xed0 [0135.322] GetCurrentProcessId () returned 0xee0 [0135.322] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf2a0 | out: lpPerformanceCount=0x1cf2a0*=3328942239461) returned 1 [0135.416] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0135.416] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0135.416] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0135.417] GetLastError () returned 0x7e [0135.417] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0135.417] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0135.464] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0135.686] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0135.687] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0135.708] GetProcessHeap () returned 0x280000 [0135.722] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0135.723] GetLastError () returned 0x7e [0135.723] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0135.723] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0135.723] GetLastError () returned 0x7e [0135.723] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0135.736] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x3c8) returned 0x2b1a80 [0135.737] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0135.785] SetLastError (dwErrCode=0x7e) [0135.799] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1000) returned 0x2b1e50 [0135.801] GetStartupInfoW (in: lpStartupInfo=0x1cf120 | out: lpStartupInfo=0x1cf120*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x1)) [0135.801] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0135.801] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0135.801] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0135.814] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"iexplore.exe\"" [0135.814] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"iexplore.exe\"" [0135.978] GetLastError () returned 0x7e [0136.005] SetLastError (dwErrCode=0x7e) [0136.005] GetLastError () returned 0x7e [0136.005] SetLastError (dwErrCode=0x7e) [0136.103] GetACP () returned 0x4e4 [0136.103] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x228) returned 0x2b3e60 [0136.104] IsValidCodePage (CodePage=0x4e4) returned 1 [0136.104] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1cf0f0 | out: lpCPInfo=0x1cf0f0) returned 1 [0136.119] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1ce990 | out: lpCPInfo=0x1ce990) returned 1 [0136.119] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ce9b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0136.133] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ce9b0, cbMultiByte=256, lpWideCharStr=0x1ce6e0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ(") returned 256 [0136.133] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ(", cchSrc=256, lpCharType=0x1cecb0 | out: lpCharType=0x1cecb0) returned 1 [0136.146] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ce9b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0136.146] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ce9b0, cbMultiByte=256, lpWideCharStr=0x1ce680, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0136.162] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0136.163] GetLastError () returned 0x7e [0136.163] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0136.163] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0136.163] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ce470, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0136.163] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x1ceab0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x0e*", lpUsedDefaultChar=0x0) returned 256 [0136.163] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ce9b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0136.163] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ce9b0, cbMultiByte=256, lpWideCharStr=0x1ce680, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0136.163] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0136.163] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ce470, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0136.163] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x1cebb0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0136.226] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x100) returned 0x2b4090 [0136.226] RtlInitializeSListHead (in: ListHead=0x1f48410 | out: ListHead=0x1f48410) [0136.267] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77160000 [0136.267] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0136.267] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0136.267] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0136.267] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0136.267] GetProcAddress (hModule=0x77160000, lpProcName="InitializeCriticalSectionEx") returned 0x77176e50 [0136.267] GetProcAddress (hModule=0x77160000, lpProcName="InitOnceExecuteOnce") returned 0x77165d60 [0136.268] GetProcAddress (hModule=0x77160000, lpProcName="CreateEventExW") returned 0x771ac970 [0136.268] GetProcAddress (hModule=0x77160000, lpProcName="CreateSemaphoreW") returned 0x77168e00 [0136.268] GetProcAddress (hModule=0x77160000, lpProcName="CreateSemaphoreExW") returned 0x771ac8a0 [0136.268] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolTimer") returned 0x77167e90 [0136.268] GetProcAddress (hModule=0x77160000, lpProcName="SetThreadpoolTimer") returned 0x7729b2f0 [0136.268] GetProcAddress (hModule=0x77160000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x7728d8c0 [0136.268] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolTimer") returned 0x7728d620 [0136.268] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolWait") returned 0x771abe60 [0136.268] GetProcAddress (hModule=0x77160000, lpProcName="SetThreadpoolWait") returned 0x7729e170 [0136.268] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolWait") returned 0x7728c540 [0136.269] GetProcAddress (hModule=0x77160000, lpProcName="FlushProcessWriteBuffers") returned 0x772d1f80 [0136.269] GetProcAddress (hModule=0x77160000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x7734ec60 [0136.269] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentProcessorNumber") returned 0x772d0040 [0136.269] GetProcAddress (hModule=0x77160000, lpProcName="CreateSymbolicLinkW") returned 0x771d5af0 [0136.269] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentPackageId") returned 0x0 [0136.269] GetProcAddress (hModule=0x77160000, lpProcName="GetTickCount64") returned 0x77168ac0 [0136.269] GetProcAddress (hModule=0x77160000, lpProcName="GetFileInformationByHandleEx") returned 0x771712f0 [0136.269] GetProcAddress (hModule=0x77160000, lpProcName="SetFileInformationByHandle") returned 0x771ac120 [0136.269] GetProcAddress (hModule=0x77160000, lpProcName="GetSystemTimePreciseAsFileTime") returned 0x0 [0136.269] GetProcAddress (hModule=0x77160000, lpProcName="InitializeConditionVariable") returned 0x772b84f0 [0136.270] GetProcAddress (hModule=0x77160000, lpProcName="WakeConditionVariable") returned 0x7733bab0 [0136.270] GetProcAddress (hModule=0x77160000, lpProcName="WakeAllConditionVariable") returned 0x772a00b0 [0136.270] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableCS") returned 0x771ab610 [0136.270] GetProcAddress (hModule=0x77160000, lpProcName="InitializeSRWLock") returned 0x772b84f0 [0136.270] GetProcAddress (hModule=0x77160000, lpProcName="AcquireSRWLockExclusive") returned 0x772a8020 [0136.270] GetProcAddress (hModule=0x77160000, lpProcName="TryAcquireSRWLockExclusive") returned 0x7732bdd0 [0136.271] GetProcAddress (hModule=0x77160000, lpProcName="ReleaseSRWLockExclusive") returned 0x772a8050 [0136.272] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableSRW") returned 0x771ab5c0 [0136.272] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolWork") returned 0x77165d30 [0136.272] GetProcAddress (hModule=0x77160000, lpProcName="SubmitThreadpoolWork") returned 0x77292330 [0136.272] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolWork") returned 0x772921f0 [0136.272] GetProcAddress (hModule=0x77160000, lpProcName="CompareStringEx") returned 0x771abd60 [0136.272] GetProcAddress (hModule=0x77160000, lpProcName="GetLocaleInfoEx") returned 0x771635e0 [0136.272] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0136.286] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77160000 [0136.286] GetProcAddress (hModule=0x77160000, lpProcName="InitializeConditionVariable") returned 0x772b84f0 [0136.286] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableCS") returned 0x771ab610 [0136.286] GetProcAddress (hModule=0x77160000, lpProcName="WakeAllConditionVariable") returned 0x772a00b0 [0136.286] RtlInitializeConditionVariable () returned 0x772a00b0 [0136.300] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1000) returned 0x2b41a0 [0136.339] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x1f48fb0, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0136.339] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xe0) returned 0x2a2ee0 [0136.340] GetEnvironmentStringsW () returned 0x2b51b0* [0136.340] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1433, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1433 [0136.340] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x599) returned 0x2b5cf0 [0136.340] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1433, lpMultiByteStr=0x2b5cf0, cbMultiByte=1433, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1433 [0136.340] FreeEnvironmentStringsW (penv=0x2b51b0) returned 1 [0136.340] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x128) returned 0x2b51b0 [0136.340] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1f) returned 0x2a5c80 [0136.353] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x2b) returned 0x2b3750 [0136.353] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x31) returned 0x2b3790 [0136.353] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x3c) returned 0x2b00c0 [0136.353] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x31) returned 0x2b37d0 [0136.353] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x18) returned 0x2a0ea0 [0136.353] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x24) returned 0x2a5cb0 [0136.353] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x14) returned 0x2b52e0 [0136.353] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xd) returned 0x2b5300 [0136.353] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1a) returned 0x2a5ce0 [0136.353] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x2e) returned 0x2b3810 [0136.353] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x19) returned 0x2a5d10 [0136.353] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x17) returned 0x2b5320 [0136.354] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xe) returned 0x2b5340 [0136.354] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xce) returned 0x2b5360 [0136.354] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x3e) returned 0x2b0110 [0136.354] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1d) returned 0x2a5d40 [0136.355] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x48) returned 0x2b0160 [0136.355] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x12) returned 0x2b5440 [0136.355] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x18) returned 0x2b5460 [0136.355] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1b) returned 0x2a5d70 [0136.355] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1e) returned 0x2a5da0 [0136.355] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x29) returned 0x2b3850 [0136.356] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1e) returned 0x2a5dd0 [0136.356] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x6b) returned 0x2abdc0 [0136.356] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x17) returned 0x2b5480 [0136.356] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0xf) returned 0x2b54a0 [0136.356] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x16) returned 0x2b54c0 [0136.356] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x2a) returned 0x2b3890 [0136.356] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x29) returned 0x2b38d0 [0136.356] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x16) returned 0x2b54e0 [0136.356] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x13) returned 0x2b62d0 [0136.356] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x1f) returned 0x2a5e00 [0136.356] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x12) returned 0x2b62f0 [0136.356] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x18) returned 0x2b6310 [0136.356] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x46) returned 0x2b01b0 [0136.357] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b5cf0 | out: hHeap=0x280000) returned 1 [0136.453] GetCurrentThread () returned 0xfffffffffffffffe [0136.453] GetThreadTimes (in: hThread=0xfffffffffffffffe, lpCreationTime=0x1cf1d8, lpExitTime=0x1cf1d0, lpKernelTime=0x1cf1d0, lpUserTime=0x1cf1d0 | out: lpCreationTime=0x1cf1d8, lpExitTime=0x1cf1d0, lpKernelTime=0x1cf1d0, lpUserTime=0x1cf1d0) returned 1 [0136.453] RtlInitializeSListHead (in: ListHead=0x1f48aa0 | out: ListHead=0x1f48aa0) [0136.500] RtlPcToFileHeader (in: PcValue=0x1f2fef8, BaseOfImage=0x1cf100 | out: BaseOfImage=0x1cf100*=0x1e00000) returned 0x1e00000 [0136.581] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x50) returned 0x2b6aa0 [0136.582] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x98 [0136.582] RtlWakeAllConditionVariable () returned 0x772a00b0 [0136.603] RtlWakeAllConditionVariable () returned 0x772a00b0 [0136.603] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x1cf050 | out: lpWSAData=0x1cf050) returned 0 [0136.622] RtlWakeAllConditionVariable () returned 0x772a00b0 [0136.622] RtlWakeAllConditionVariable () returned 0x772a00b0 [0136.644] RtlSizeHeap (HeapHandle=0x280000, Flags=0x0, MemoryPointer=0x2b4090) returned 0x100 [0136.644] RtlReAllocateHeap (Heap=0x280000, Flags=0x0, Ptr=0x2b4090, Size=0x200) returned 0x2b5500 [0136.667] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77280000 [0136.668] GetProcAddress (hModule=0x77280000, lpProcName="NtCreateThreadEx") returned 0x772d1d90 [0136.668] GetProcAddress (hModule=0x77280000, lpProcName="RtlNewSecurityObjectWithMultipleInheritance") returned 0x77364540 [0136.668] GetCurrentProcess () returned 0xffffffffffffffff [0136.668] NtCreateThreadEx (in: ThreadHandle=0x1f49890, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffffffffffff, lpStartAddress=0x77364540, lpParameter=0x0, CreateSuspended=1, StackZeroBits=0x0, SizeOfStackCommit=0x0, SizeOfStackReserve=0x0, lpBytesBuffer=0x0 | out: ThreadHandle=0x1f49890*=0xb0, lpBytesBuffer=0x0) returned 0x0 [0136.669] GetThreadContext (in: hThread=0xb0, lpContext=0x1ced80 | out: lpContext=0x1ced80*(P1Home=0x2b6ea0, P2Home=0x30, P3Home=0x10, P4Home=0x7fefd4d30f5, P5Home=0x21, P6Home=0x0, ContextFlags=0x10000b, MxCsr=0x1f80, SegCs=0x33, SegDs=0x2b, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x200, Dr0=0x0, Dr1=0x2b4090, Dr2=0x772d3488, Dr3=0x280230, Dr6=0x280388, Dr7=0xe00fa0001, Rax=0x0, Rcx=0x77364540, Rdx=0x0, Rbx=0x0, Rsp=0x268f838, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x772ac500, FltSave.ControlWord=0x27f, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x1f80, FltSave.MxCsr_Mask=0xffff, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x27f, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0x2b4090, VectorRegister.High=0x2b4090, VectorControl=0x0, DebugControl=0x1e87129, LastBranchToRip=0x0, LastBranchFromRip=0x1cf738, LastExceptionToRip=0x0, LastExceptionFromRip=0x1)) returned 1 [0136.671] SetThreadContext (hThread=0xb0, lpContext=0x1ced80*(P1Home=0x2b6ea0, P2Home=0x30, P3Home=0x10, P4Home=0x7fefd4d30f5, P5Home=0x21, P6Home=0x0, ContextFlags=0x10000b, MxCsr=0x1f80, SegCs=0x33, SegDs=0x2b, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x200, Dr0=0x0, Dr1=0x2b4090, Dr2=0x772d3488, Dr3=0x280230, Dr6=0x280388, Dr7=0xe00fa0001, Rax=0x0, Rcx=0x1e1365c, Rdx=0x0, Rbx=0x0, Rsp=0x268f838, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x772ac500, FltSave.ControlWord=0x27f, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x1f80, FltSave.MxCsr_Mask=0xffff, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x27f, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0x2b4090, VectorRegister.High=0x2b4090, VectorControl=0x0, DebugControl=0x1e87129, LastBranchToRip=0x0, LastBranchFromRip=0x1cf738, LastExceptionToRip=0x0, LastExceptionFromRip=0x1)) returned 1 [0136.671] ResumeThread (hThread=0xb0) returned 0x1 [0136.680] GetProcAddress (hModule=0x1e00000, lpProcName="setPath") returned 0x1e14604 [0136.680] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x70) returned 0x2abe40 [0136.680] SetEvent (hEvent=0x98) returned 1 [0136.702] WaitForSingleObject (hHandle=0xb0, dwMilliseconds=0xffffffff) returned 0x0 [0139.470] RtlExitUserProcess (ExitCode=0x0) [0139.475] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x29cfb0 | out: hHeap=0x280000) returned 1 [0139.476] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b1a80 | out: hHeap=0x280000) returned 1 [0139.499] WSACleanup () returned 0 [0139.502] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2abe40 | out: hHeap=0x280000) returned 1 [0139.502] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6aa0 | out: hHeap=0x280000) returned 1 [0139.524] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b9660 | out: hHeap=0x280000) returned 1 [0139.524] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b83d0 | out: hHeap=0x280000) returned 1 [0139.524] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6350 | out: hHeap=0x280000) returned 1 [0139.525] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b4090 | out: hHeap=0x280000) returned 1 [0139.525] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b3e10 | out: hHeap=0x280000) returned 1 [0139.547] RtlInterlockedFlushSList (in: ListHead=0x1f48410 | out: ListHead=0x1f48410) returned 0x0 [0139.547] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b5500 | out: hHeap=0x280000) returned 1 [0139.548] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b41a0 | out: hHeap=0x280000) returned 1 [0139.548] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0139.549] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2d0cc0 | out: hHeap=0x280000) returned 1 [0139.550] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2e2f50 | out: hHeap=0x280000) returned 1 [0139.550] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b40b0 | out: hHeap=0x280000) returned 1 [0139.550] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b93a0 | out: hHeap=0x280000) returned 1 [0139.551] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2e6bb0 | out: hHeap=0x280000) returned 1 [0139.551] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0139.552] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2abfc0 | out: hHeap=0x280000) returned 1 [0139.552] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2ac040 | out: hHeap=0x280000) returned 1 [0139.552] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2ac0c0 | out: hHeap=0x280000) returned 1 [0139.552] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5c80 | out: hHeap=0x280000) returned 1 [0139.553] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b3750 | out: hHeap=0x280000) returned 1 [0139.553] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b3790 | out: hHeap=0x280000) returned 1 [0139.553] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b00c0 | out: hHeap=0x280000) returned 1 [0139.554] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b37d0 | out: hHeap=0x280000) returned 1 [0139.554] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a0ea0 | out: hHeap=0x280000) returned 1 [0139.554] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5cb0 | out: hHeap=0x280000) returned 1 [0139.554] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b52e0 | out: hHeap=0x280000) returned 1 [0139.554] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b5300 | out: hHeap=0x280000) returned 1 [0139.554] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5ce0 | out: hHeap=0x280000) returned 1 [0139.554] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b3810 | out: hHeap=0x280000) returned 1 [0139.554] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5d10 | out: hHeap=0x280000) returned 1 [0139.554] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b5320 | out: hHeap=0x280000) returned 1 [0139.554] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b5340 | out: hHeap=0x280000) returned 1 [0139.555] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b5360 | out: hHeap=0x280000) returned 1 [0139.555] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0110 | out: hHeap=0x280000) returned 1 [0139.555] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5d40 | out: hHeap=0x280000) returned 1 [0139.555] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0160 | out: hHeap=0x280000) returned 1 [0139.556] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b5440 | out: hHeap=0x280000) returned 1 [0139.556] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b5460 | out: hHeap=0x280000) returned 1 [0139.556] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5d70 | out: hHeap=0x280000) returned 1 [0139.556] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5da0 | out: hHeap=0x280000) returned 1 [0139.557] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b3850 | out: hHeap=0x280000) returned 1 [0139.557] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5dd0 | out: hHeap=0x280000) returned 1 [0139.557] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2abdc0 | out: hHeap=0x280000) returned 1 [0139.557] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b5480 | out: hHeap=0x280000) returned 1 [0139.557] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b54a0 | out: hHeap=0x280000) returned 1 [0139.557] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b54c0 | out: hHeap=0x280000) returned 1 [0139.557] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b3890 | out: hHeap=0x280000) returned 1 [0139.558] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b38d0 | out: hHeap=0x280000) returned 1 [0139.558] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b54e0 | out: hHeap=0x280000) returned 1 [0139.558] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b62d0 | out: hHeap=0x280000) returned 1 [0139.558] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e00 | out: hHeap=0x280000) returned 1 [0139.558] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b62f0 | out: hHeap=0x280000) returned 1 [0139.558] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6310 | out: hHeap=0x280000) returned 1 [0139.558] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b01b0 | out: hHeap=0x280000) returned 1 [0139.559] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b51b0 | out: hHeap=0x280000) returned 1 [0139.559] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b3e60 | out: hHeap=0x280000) returned 1 [0139.560] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a2ee0 | out: hHeap=0x280000) returned 1 [0139.588] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b1e50 | out: hHeap=0x280000) returned 1 [0139.588] FreeLibrary (hLibModule=0x7fefa010000) returned 1 [0139.588] FreeLibrary (hLibModule=0x77160000) returned 1 [0139.589] FreeLibrary (hLibModule=0x7fefa010000) returned 1 [0139.589] FreeLibrary (hLibModule=0x77160000) returned 1 Thread: id = 185 os_tid = 0x22c [0136.703] GetLastError () returned 0x57 [0136.703] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0136.703] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x78) returned 0x2abec0 [0136.704] SetLastError (dwErrCode=0x57) [0136.704] GetLastError () returned 0x57 [0136.704] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x3c8) returned 0x2b5b30 [0136.704] SetLastError (dwErrCode=0x57) [0136.724] LoadLibraryExW (lpLibFileName="api-ms-win-core-sysinfo-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0136.725] GetLastError () returned 0x7e [0136.725] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x268f2c0 | out: lpSystemTimeAsFileTime=0x268f2c0*(dwLowDateTime=0x425887a0, dwHighDateTime=0x1d937fd)) [0136.725] GetLastError () returned 0x7e [0136.725] SetLastError (dwErrCode=0x7e) [0136.725] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0136.725] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x70) returned 0x2abf40 [0136.769] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x260) returned 0x2b5f00 [0136.856] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0136.856] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x38) returned 0x2b3e10 [0136.879] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x2) returned 0x2b4090 [0136.879] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b4090 | out: hHeap=0x280000) returned 1 [0136.879] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x2) returned 0x2b4090 [0136.879] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x30) returned 0x2b83d0 [0136.900] GetLastError () returned 0x7e [0136.900] SetLastError (dwErrCode=0x7e) [0136.900] GetLastError () returned 0x7e [0136.900] SetLastError (dwErrCode=0x7e) [0136.928] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x158) returned 0x2b93a0 [0136.928] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x6a6) returned 0x2b9500 [0136.929] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b9500 | out: hHeap=0x280000) returned 1 [0136.929] GetLastError () returned 0x7e [0136.929] SetLastError (dwErrCode=0x7e) [0136.951] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x6) returned 0x2b40b0 [0136.952] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x2) returned 0x2b40d0 [0137.026] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x4) returned 0x2b40f0 [0137.026] GetLastError () returned 0x7e [0137.026] SetLastError (dwErrCode=0x7e) [0137.026] GetLastError () returned 0x7e [0137.026] SetLastError (dwErrCode=0x7e) [0137.027] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x158) returned 0x2b9500 [0137.027] GetLastError () returned 0x7e [0137.027] SetLastError (dwErrCode=0x7e) [0137.087] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x6a6) returned 0x2b9660 [0137.088] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b9660 | out: hHeap=0x280000) returned 1 [0137.088] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b40b0 | out: hHeap=0x280000) returned 1 [0137.088] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b93a0 | out: hHeap=0x280000) returned 1 [0137.089] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b40f0 | out: hHeap=0x280000) returned 1 [0137.089] GetLastError () returned 0x7e [0137.089] SetLastError (dwErrCode=0x7e) [0137.089] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x6) returned 0x2b40b0 [0137.089] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x2) returned 0x2b40f0 [0137.089] GetLastError () returned 0x7e [0137.089] SetLastError (dwErrCode=0x7e) [0137.089] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x200) returned 0x2b9660 [0137.089] GetLastError () returned 0x7e [0137.089] SetLastError (dwErrCode=0x7e) [0137.089] GetLastError () returned 0x7e [0137.089] SetLastError (dwErrCode=0x7e) [0137.089] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x4) returned 0x2b4110 [0137.090] GetLastError () returned 0x7e [0137.090] SetLastError (dwErrCode=0x7e) [0137.090] GetLastError () returned 0x7e [0137.090] SetLastError (dwErrCode=0x7e) [0137.090] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x158) returned 0x2b93a0 [0137.090] GetLastError () returned 0x7e [0137.090] SetLastError (dwErrCode=0x7e) [0137.090] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x6a6) returned 0x2b9870 [0137.090] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b9870 | out: hHeap=0x280000) returned 1 [0137.091] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b40b0 | out: hHeap=0x280000) returned 1 [0137.091] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b9500 | out: hHeap=0x280000) returned 1 [0137.091] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b4110 | out: hHeap=0x280000) returned 1 [0137.091] GetLastError () returned 0x7e [0137.091] SetLastError (dwErrCode=0x7e) [0137.091] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x6) returned 0x2b40b0 [0137.091] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b40f0 | out: hHeap=0x280000) returned 1 [0137.091] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b40d0 | out: hHeap=0x280000) returned 1 [0137.091] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6350 [0137.091] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.092] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x25a) returned 0x2b9870 [0137.112] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.169] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5ec0 [0137.169] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5ef0 [0137.169] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.170] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5ec0 | out: hHeap=0x280000) returned 1 [0137.170] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5ec0 [0137.170] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x60) returned 0x2ad5e0 [0137.170] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.170] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x80) returned 0x2b40d0 [0137.170] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2ad5e0 | out: hHeap=0x280000) returned 1 [0137.170] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5f20 [0137.171] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0xc0) returned 0x2b6170 [0137.171] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b40d0 | out: hHeap=0x280000) returned 1 [0137.171] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5f50 [0137.171] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5f80 [0137.171] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x120) returned 0x2b9500 [0137.171] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6170 | out: hHeap=0x280000) returned 1 [0137.171] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5fb0 [0137.171] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5fe0 [0137.171] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x1a0) returned 0x2b9ae0 [0137.172] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b9500 | out: hHeap=0x280000) returned 1 [0137.172] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a6010 [0137.172] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a6040 [0137.172] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a6070 [0137.172] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a60a0 [0137.172] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x260) returned 0x2b9c90 [0137.172] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b9ae0 | out: hHeap=0x280000) returned 1 [0137.172] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a60d0 [0137.172] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a6100 [0137.172] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a6130 [0137.172] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a6160 [0137.172] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2b9f30 [0137.173] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2b9f60 [0137.173] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x380) returned 0x2bab00 [0137.173] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b9c90 | out: hHeap=0x280000) returned 1 [0137.173] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2b9f90 [0137.173] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2b9fc0 [0137.173] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2b9ff0 [0137.173] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2ba020 [0137.173] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2ba050 [0137.173] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2ba080 [0137.173] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2ba0b0 [0137.173] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2ba0e0 [0137.173] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2ba110 [0137.173] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x540) returned 0x2bae90 [0137.174] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2bab00 | out: hHeap=0x280000) returned 1 [0137.174] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2ba140 [0137.174] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2ba170 [0137.174] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2ba1a0 [0137.174] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2ba1d0 [0137.174] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2ba200 [0137.174] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.175] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b9870 | out: hHeap=0x280000) returned 1 [0137.175] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.175] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.176] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.176] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.176] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x12) returned 0x2b6390 [0137.176] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.176] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.176] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.176] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.177] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.177] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.177] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0250 [0137.177] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.177] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.178] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.178] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x11) returned 0x2b6390 [0137.178] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.178] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.178] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.178] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.178] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.178] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.178] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x80) returned 0x2b40d0 [0137.179] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0250 | out: hHeap=0x280000) returned 1 [0137.179] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.179] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.180] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.180] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0xf) returned 0x2b6390 [0137.180] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.180] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.180] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.180] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.180] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.180] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.180] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0xc0) returned 0x2b6170 [0137.181] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b40d0 | out: hHeap=0x280000) returned 1 [0137.181] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.181] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.181] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.181] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6390 [0137.181] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.181] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.182] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.182] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.182] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.182] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.182] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x100) returned 0x2b9500 [0137.182] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6170 | out: hHeap=0x280000) returned 1 [0137.182] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.182] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.183] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.183] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x13) returned 0x2b6390 [0137.183] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.183] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.183] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.183] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.183] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.183] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.183] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x180) returned 0x2bab00 [0137.183] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b9500 | out: hHeap=0x280000) returned 1 [0137.184] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.184] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.184] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.184] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x12) returned 0x2b6390 [0137.184] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.184] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.185] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.185] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.185] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.185] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.185] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.185] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.185] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.186] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6390 [0137.186] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.186] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.186] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.186] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.186] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.186] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.186] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x240) returned 0x2b9870 [0137.186] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2bab00 | out: hHeap=0x280000) returned 1 [0137.187] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.187] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.187] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.187] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0xe) returned 0x2b6390 [0137.187] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.188] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.188] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.188] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.188] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.188] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.189] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.189] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.189] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.189] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x12) returned 0x2b6390 [0137.189] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.189] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.189] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.190] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.190] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.190] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.190] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.190] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.190] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.190] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x11) returned 0x2b6390 [0137.190] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.190] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.191] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.191] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.191] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.191] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.191] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x340) returned 0x2bab00 [0137.192] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b9870 | out: hHeap=0x280000) returned 1 [0137.192] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.192] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.193] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.193] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x13) returned 0x2b6390 [0137.193] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.193] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.193] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.193] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.193] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.193] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.194] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.194] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.194] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.194] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x12) returned 0x2b6390 [0137.194] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.194] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.195] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.195] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.195] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.195] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.196] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.196] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.196] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.196] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x13) returned 0x2b6390 [0137.196] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.196] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.197] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.197] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.197] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.197] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.198] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.198] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.198] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.198] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x12) returned 0x2b6390 [0137.198] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.199] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.199] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.199] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.199] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.199] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.199] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x4c0) returned 0x2b9870 [0137.200] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2bab00 | out: hHeap=0x280000) returned 1 [0137.200] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.201] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.201] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.201] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x11) returned 0x2b6390 [0137.201] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.201] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.202] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.202] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.202] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.202] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.202] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.238] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.238] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.239] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x12) returned 0x2b6390 [0137.239] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.239] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.239] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.239] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.239] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.239] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.240] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.240] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.240] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.240] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6390 [0137.240] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.240] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.241] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.241] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.241] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.241] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.241] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.241] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.241] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.241] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6390 [0137.241] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.241] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.242] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.242] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.242] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.242] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.242] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.242] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.242] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.242] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x11) returned 0x2b6390 [0137.242] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.243] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.243] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.243] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.243] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.243] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.253] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.253] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.253] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.253] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x11) returned 0x2b6390 [0137.253] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.253] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.254] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.254] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.254] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.254] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.254] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x700) returned 0x2bb3e0 [0137.255] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b9870 | out: hHeap=0x280000) returned 1 [0137.255] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.255] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.255] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.255] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x12) returned 0x2b6390 [0137.256] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.256] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.256] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.256] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.256] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.256] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.256] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.256] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.257] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.257] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x11) returned 0x2b6390 [0137.257] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.257] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.257] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.257] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.257] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.257] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.258] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.258] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.258] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.258] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x11) returned 0x2b6390 [0137.258] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.258] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.259] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.259] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.259] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.259] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.259] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.259] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.260] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.260] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x12) returned 0x2b6390 [0137.260] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.260] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.260] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.260] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.261] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.261] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.261] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.261] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.261] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.262] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x11) returned 0x2b6390 [0137.262] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.262] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.262] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.262] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.263] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.263] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.263] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.263] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.263] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.263] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6390 [0137.263] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.263] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.264] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.265] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.265] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.265] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.265] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.265] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.265] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.265] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x12) returned 0x2b6390 [0137.265] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.265] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.266] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.266] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.266] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.266] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.266] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.266] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.266] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.267] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x11) returned 0x2b6390 [0137.267] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.267] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.267] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.267] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.267] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.267] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.268] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.268] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.268] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.268] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x13) returned 0x2b6390 [0137.268] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.268] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.268] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.268] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.268] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.269] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.269] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0xa80) returned 0x2bbaf0 [0137.269] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2bb3e0 | out: hHeap=0x280000) returned 1 [0137.269] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.270] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.270] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.270] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6390 [0137.270] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.270] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.270] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.270] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.270] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.270] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.270] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.271] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.271] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.271] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x11) returned 0x2b6390 [0137.271] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.272] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.272] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.272] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.272] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.272] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.273] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.273] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.273] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.273] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x13) returned 0x2b6390 [0137.273] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.273] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.273] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.273] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.273] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.274] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.274] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.274] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6330 [0137.274] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x10) returned 0x2b6370 [0137.274] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x12) returned 0x2b6390 [0137.274] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2a5e90 [0137.275] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x40) returned 0x2b0200 [0137.275] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5e90 | out: hHeap=0x280000) returned 1 [0137.275] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6390 | out: hHeap=0x280000) returned 1 [0137.275] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6370 | out: hHeap=0x280000) returned 1 [0137.275] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6330 | out: hHeap=0x280000) returned 1 [0137.276] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b0200 | out: hHeap=0x280000) returned 1 [0137.276] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5ef0 | out: hHeap=0x280000) returned 1 [0137.277] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5ec0 | out: hHeap=0x280000) returned 1 [0137.277] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5f20 | out: hHeap=0x280000) returned 1 [0137.278] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5f50 | out: hHeap=0x280000) returned 1 [0137.278] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5f80 | out: hHeap=0x280000) returned 1 [0137.279] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5fb0 | out: hHeap=0x280000) returned 1 [0137.279] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a5fe0 | out: hHeap=0x280000) returned 1 [0137.280] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a6010 | out: hHeap=0x280000) returned 1 [0137.280] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a6040 | out: hHeap=0x280000) returned 1 [0137.281] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a6070 | out: hHeap=0x280000) returned 1 [0137.281] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a60a0 | out: hHeap=0x280000) returned 1 [0137.287] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a60d0 | out: hHeap=0x280000) returned 1 [0137.288] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a6100 | out: hHeap=0x280000) returned 1 [0137.288] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a6130 | out: hHeap=0x280000) returned 1 [0137.289] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2a6160 | out: hHeap=0x280000) returned 1 [0137.289] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b9f30 | out: hHeap=0x280000) returned 1 [0137.290] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b9f60 | out: hHeap=0x280000) returned 1 [0137.290] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b9f90 | out: hHeap=0x280000) returned 1 [0137.291] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b9fc0 | out: hHeap=0x280000) returned 1 [0137.291] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b9ff0 | out: hHeap=0x280000) returned 1 [0137.291] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2ba020 | out: hHeap=0x280000) returned 1 [0137.292] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2ba050 | out: hHeap=0x280000) returned 1 [0137.292] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2ba080 | out: hHeap=0x280000) returned 1 [0137.293] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2ba0b0 | out: hHeap=0x280000) returned 1 [0137.294] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2ba0e0 | out: hHeap=0x280000) returned 1 [0137.294] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2ba110 | out: hHeap=0x280000) returned 1 [0137.295] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2ba140 | out: hHeap=0x280000) returned 1 [0137.296] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2ba170 | out: hHeap=0x280000) returned 1 [0137.296] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2ba1a0 | out: hHeap=0x280000) returned 1 [0137.296] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2ba1d0 | out: hHeap=0x280000) returned 1 [0137.297] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2ba200 | out: hHeap=0x280000) returned 1 [0137.298] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2bae90 | out: hHeap=0x280000) returned 1 [0137.298] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b5f00 | out: hHeap=0x280000) returned 1 [0137.298] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0137.367] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0138.693] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77280000 [0138.693] GetProcAddress (hModule=0x77280000, lpProcName="ZwAllocateVirtualMemory") returned 0x772d1490 [0138.694] GetProcAddress (hModule=0x77280000, lpProcName="ZwWriteVirtualMemory") returned 0x772d16b0 [0138.694] GetProcAddress (hModule=0x77280000, lpProcName="ZwReadVirtualMemory") returned 0x772d1700 [0138.694] GetProcAddress (hModule=0x77280000, lpProcName="ZwGetContextThread") returned 0x772d1fe0 [0138.694] GetProcAddress (hModule=0x77280000, lpProcName="ZwSetContextThread") returned 0x772d2840 [0138.717] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x30) returned 0x2c7ff0 [0138.741] CoCreateInstance (in: rclsid=0x1ee57e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1ee57f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x268f170 | out: ppv=0x268f170*=0x2b66b0) returned 0x0 [0138.762] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2b66b0, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x268f168 | out: ppNamespace=0x268f168*=0x2e3600) returned 0x0 [0138.878] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x7fefd730000 [0138.878] GetProcAddress (hModule=0x7fefd730000, lpProcName="CoSetProxyBlanket") returned 0x7fefd76bf00 [0138.878] CoSetProxyBlanket (pProxy=0x2e3600, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0138.878] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x18) returned 0x2b69b0 [0138.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2c7ff0, cbMultiByte=35, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 35 [0138.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2c7ff0, cbMultiByte=35, lpWideCharStr=0x268f060, cchWideChar=35 | out: lpWideCharStr="SELECT * FROM Win32_ComputerSystem") returned 35 [0138.879] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x18) returned 0x2b69d0 [0138.879] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1efb258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0138.879] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1efb258, cbMultiByte=4, lpWideCharStr=0x268f0a0, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0138.879] IWbemServices:ExecQuery (in: This=0x2e3600, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystem", lFlags=48, pCtx=0x0, ppEnum=0x268f178 | out: ppEnum=0x268f178*=0x2ea5c0) returned 0x0 [0138.888] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b69d0 | out: hHeap=0x280000) returned 1 [0138.888] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b69b0 | out: hHeap=0x280000) returned 1 [0138.888] IEnumWbemClassObject:Next (in: This=0x2ea5c0, lTimeout=-1, uCount=0x1, apObjects=0x268f180, puReturned=0x268f298 | out: apObjects=0x268f180*=0x2ee3d0, puReturned=0x268f298*=0x1) returned 0x0 [0138.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x268f2d0, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0138.916] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x268f2d0, cbMultiByte=4, lpWideCharStr=0x268f098, cchWideChar=4 | out: lpWideCharStr="Name") returned 4 [0138.964] IWbemClassObject:Get (in: This=0x2ee3d0, wszName="Name", lFlags=0, pVal=0x268f220*(varType=0x0, wReserved1=0x2c, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x268f220*(varType=0x8, wReserved1=0x2c, wReserved2=0x0, wReserved3=0x0, varVal1="Q9IATRKPRH", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0138.965] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x20) returned 0x2cbcd0 [0138.965] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Q9IATRKPRH", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0138.965] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Q9IATRKPRH", cchWideChar=10, lpMultiByteStr=0x268f0b8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Q9IATRKPRH", lpUsedDefaultChar=0x0) returned 10 [0138.965] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2cbcd0 | out: hHeap=0x280000) returned 1 [0138.965] IUnknown:Release (This=0x2ee3d0) returned 0x0 [0138.965] WbemLocator:IUnknown:Release (This=0x2e3600) returned 0x0 [0138.967] WbemLocator:IUnknown:Release (This=0x2b66b0) returned 0x0 [0138.967] IUnknown:Release (This=0x2ea5c0) returned 0x0 [0138.970] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2c7ff0 | out: hHeap=0x280000) returned 1 [0138.970] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x30) returned 0x2c7ff0 [0138.970] CoCreateInstance (in: rclsid=0x1ee57e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1ee57f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x268f170 | out: ppv=0x268f170*=0x2b69d0) returned 0x0 [0138.970] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2b69d0, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x268f168 | out: ppNamespace=0x268f168*=0x2e3600) returned 0x0 [0138.976] CoSetProxyBlanket (pProxy=0x2e3600, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0138.976] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x18) returned 0x2b6a30 [0138.976] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2c7ff0, cbMultiByte=42, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 42 [0138.976] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2c7ff0, cbMultiByte=42, lpWideCharStr=0x268f050, cchWideChar=42 | out: lpWideCharStr="SELECT * FROM Win32_ComputerSystemProduct") returned 42 [0138.976] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x18) returned 0x2b66b0 [0138.976] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1efb258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0138.976] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1efb258, cbMultiByte=4, lpWideCharStr=0x268f0a0, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0138.976] IWbemServices:ExecQuery (in: This=0x2e3600, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystemProduct", lFlags=48, pCtx=0x0, ppEnum=0x268f178 | out: ppEnum=0x268f178*=0x2ea5c0) returned 0x0 [0138.982] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b66b0 | out: hHeap=0x280000) returned 1 [0138.982] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b6a30 | out: hHeap=0x280000) returned 1 [0138.982] IEnumWbemClassObject:Next (in: This=0x2ea5c0, lTimeout=-1, uCount=0x1, apObjects=0x268f180, puReturned=0x268f298 | out: apObjects=0x268f180*=0x2ec340, puReturned=0x268f298*=0x1) returned 0x0 [0139.007] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x268f2d0, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0139.007] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x268f2d0, cbMultiByte=4, lpWideCharStr=0x268f098, cchWideChar=4 | out: lpWideCharStr="UUID") returned 4 [0139.007] IWbemClassObject:Get (in: This=0x2ec340, wszName="UUID", lFlags=0, pVal=0x268f220*(varType=0x0, wReserved1=0x2c, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x268f220*(varType=0x8, wReserved1=0x2c, wReserved2=0x0, wReserved3=0x0, varVal1="4C4C4544-0050-3710-8058-CAC04F59344A", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0139.007] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x50) returned 0x2c76d0 [0139.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4C4C4544-0050-3710-8058-CAC04F59344A", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0139.007] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x30) returned 0x2ddd00 [0139.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4C4C4544-0050-3710-8058-CAC04F59344A", cchWideChar=36, lpMultiByteStr=0x2ddd00, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="4C4C4544-0050-3710-8058-CAC04F59344A", lpUsedDefaultChar=0x0) returned 36 [0139.008] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2c76d0 | out: hHeap=0x280000) returned 1 [0139.008] IUnknown:Release (This=0x2ec340) returned 0x0 [0139.008] WbemLocator:IUnknown:Release (This=0x2e3600) returned 0x0 [0139.009] WbemLocator:IUnknown:Release (This=0x2b69d0) returned 0x0 [0139.009] IUnknown:Release (This=0x2ea5c0) returned 0x0 [0139.015] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2c7ff0 | out: hHeap=0x280000) returned 1 [0139.015] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x30) returned 0x2c7ff0 [0139.114] GetLastError () returned 0x0 [0139.114] SetLastError (dwErrCode=0x0) [0139.160] GetLastError () returned 0x0 [0139.160] SetLastError (dwErrCode=0x0) [0139.160] GetLastError () returned 0x0 [0139.160] SetLastError (dwErrCode=0x0) [0139.160] GetLastError () returned 0x0 [0139.160] SetLastError (dwErrCode=0x0) [0139.160] GetLastError () returned 0x0 [0139.160] SetLastError (dwErrCode=0x0) [0139.160] GetLastError () returned 0x0 [0139.160] SetLastError (dwErrCode=0x0) [0139.161] GetLastError () returned 0x0 [0139.161] SetLastError (dwErrCode=0x0) [0139.161] GetLastError () returned 0x0 [0139.161] SetLastError (dwErrCode=0x0) [0139.161] GetLastError () returned 0x0 [0139.161] SetLastError (dwErrCode=0x0) [0139.161] GetLastError () returned 0x0 [0139.161] SetLastError (dwErrCode=0x0) [0139.161] GetLastError () returned 0x0 [0139.161] SetLastError (dwErrCode=0x0) [0139.161] GetLastError () returned 0x0 [0139.161] SetLastError (dwErrCode=0x0) [0139.161] GetLastError () returned 0x0 [0139.161] SetLastError (dwErrCode=0x0) [0139.161] GetLastError () returned 0x0 [0139.161] SetLastError (dwErrCode=0x0) [0139.161] GetLastError () returned 0x0 [0139.161] SetLastError (dwErrCode=0x0) [0139.161] GetLastError () returned 0x0 [0139.161] SetLastError (dwErrCode=0x0) [0139.161] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x30) returned 0x2ddcc0 [0139.162] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2ddcc0, cbMultiByte=32, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 32 [0139.162] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x0, Size=0x50) returned 0x2c73d0 [0139.162] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2ddcc0, cbMultiByte=32, lpWideCharStr=0x2c73d0, cchWideChar=32 | out: lpWideCharStr="aa360b8ffe2aca5f0f5c1f9ffd6f6a58") returned 32 [0139.162] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="aa360b8ffe2aca5f0f5c1f9ffd6f6a58") returned 0x17c [0139.162] GetLastError () returned 0xb7 [0139.162] CloseHandle (hObject=0x17c) returned 1 [0139.163] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2c73d0 | out: hHeap=0x280000) returned 1 [0139.163] CoUninitialize () [0139.182] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2ddcc0 | out: hHeap=0x280000) returned 1 [0139.183] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2c7ff0 | out: hHeap=0x280000) returned 1 [0139.184] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2ddd00 | out: hHeap=0x280000) returned 1 [0139.184] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2bbaf0 | out: hHeap=0x280000) returned 1 [0139.184] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2abf40 | out: hHeap=0x280000) returned 1 [0139.185] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2abec0 | out: hHeap=0x280000) returned 1 [0139.186] HeapFree (in: hHeap=0x280000, dwFlags=0x0, lpMem=0x2b5b30 | out: hHeap=0x280000) returned 1 Thread: id = 187 os_tid = 0x49c Thread: id = 188 os_tid = 0x3a8 [0138.777] GetLastError () returned 0x57 [0138.777] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x78) returned 0x2abfc0 [0138.777] SetLastError (dwErrCode=0x57) [0138.777] GetLastError () returned 0x57 [0138.777] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x3c8) returned 0x2d0cc0 [0138.778] SetLastError (dwErrCode=0x57) Thread: id = 189 os_tid = 0x138 [0138.830] GetLastError () returned 0x57 [0138.830] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x78) returned 0x2ac040 [0138.830] SetLastError (dwErrCode=0x57) [0138.830] GetLastError () returned 0x57 [0138.830] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x3c8) returned 0x2e2f50 [0138.830] SetLastError (dwErrCode=0x57) Thread: id = 190 os_tid = 0x43c [0138.831] GetLastError () returned 0x57 [0138.832] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x78) returned 0x2ac0c0 [0138.832] SetLastError (dwErrCode=0x57) [0138.832] GetLastError () returned 0x57 [0138.832] RtlAllocateHeap (HeapHandle=0x280000, Flags=0x8, Size=0x3c8) returned 0x2e6bb0 [0138.832] SetLastError (dwErrCode=0x57) Process: id = "41" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x39b84000" os_pid = "0x61c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"iexplore.exe\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2892 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2893 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2894 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2895 start_va = 0xd0000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2896 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2897 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2898 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2899 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 2900 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2901 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2902 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2903 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2904 start_va = 0x1d0000 end_va = 0x35ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2905 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2906 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2907 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2908 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2909 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2910 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2911 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2912 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2913 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2914 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2915 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2916 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2917 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2918 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2919 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2920 start_va = 0x360000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 2921 start_va = 0x360000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 2922 start_va = 0x490000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 2923 start_va = 0x1d0000 end_va = 0x1f8fff monitored = 0 entry_point = 0x1d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2924 start_va = 0x260000 end_va = 0x35ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 2925 start_va = 0x4a0000 end_va = 0x627fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 2926 start_va = 0x1d0000 end_va = 0x1f8fff monitored = 0 entry_point = 0x1d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2927 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2928 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2947 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2948 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 2949 start_va = 0x630000 end_va = 0x7b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 2950 start_va = 0x7c0000 end_va = 0x1bbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 2959 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 2960 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 2961 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2963 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2964 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3239 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 3240 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Thread: id = 177 os_tid = 0x6a0 [0134.092] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf918 | out: lpSystemTimeAsFileTime=0x1cf918*(dwLowDateTime=0x41835d50, dwHighDateTime=0x1d937fd)) [0134.092] GetCurrentThreadId () returned 0x6a0 [0134.092] GetCurrentProcessId () returned 0x61c [0134.092] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf920 | out: lpPerformanceCount=0x1cf920*=3328819187806) returned 1 [0134.092] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0134.096] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0134.096] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0134.097] GetLastError () returned 0x7e [0134.097] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0134.097] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0134.097] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0134.098] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0134.098] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0134.099] GetProcessHeap () returned 0x260000 [0134.099] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0134.099] GetLastError () returned 0x7e [0134.100] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0134.100] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0134.100] GetLastError () returned 0x7e [0134.100] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0134.100] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0134.100] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x3c8) returned 0x27cfb0 [0134.101] SetLastError (dwErrCode=0x7e) [0134.101] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x1200) returned 0x27d380 [0134.103] GetStartupInfoW (in: lpStartupInfo=0x1cf7f0 | out: lpStartupInfo=0x1cf7f0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x1cf878, hStdError=0x1)) [0134.103] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0134.103] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0134.103] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0134.103] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"iexplore.exe\"" [0134.104] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"iexplore.exe\"" [0134.104] GetACP () returned 0x4e4 [0134.104] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x228) returned 0x27ab90 [0134.104] IsValidCodePage (CodePage=0x4e4) returned 1 [0134.104] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1cf7b0 | out: lpCPInfo=0x1cf7b0) returned 1 [0134.104] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1cf050 | out: lpCPInfo=0x1cf050) returned 1 [0134.104] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf070, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0134.104] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf070, cbMultiByte=256, lpWideCharStr=0x1ceda0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0134.104] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x1cf370 | out: lpCharType=0x1cf370) returned 1 [0134.104] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf070, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0134.104] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf070, cbMultiByte=256, lpWideCharStr=0x1ced40, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0134.105] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0134.105] GetLastError () returned 0x7e [0134.105] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0134.105] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0134.106] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ceb30, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0134.106] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x1cf170, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«'", lpUsedDefaultChar=0x0) returned 256 [0134.106] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf070, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0134.106] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1cf070, cbMultiByte=256, lpWideCharStr=0x1ced40, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0134.106] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0134.106] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1ceb30, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0134.106] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x1cf270, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0134.106] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x100) returned 0x27f590 [0134.106] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0134.106] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x194) returned 0x27f6a0 [0134.106] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0134.106] GetLastError () returned 0x0 [0134.107] SetLastError (dwErrCode=0x0) [0134.107] GetEnvironmentStringsW () returned 0x27f840* [0134.107] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0xb32) returned 0x280380 [0134.107] FreeEnvironmentStringsW (penv=0x27f840) returned 1 [0134.107] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x128) returned 0x27f840 [0134.107] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x3e) returned 0x27afe0 [0134.107] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x56) returned 0x27adc0 [0134.107] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x62) returned 0x280ec0 [0134.107] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x78) returned 0x280f30 [0134.107] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x62) returned 0x27f970 [0134.107] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x30) returned 0x27e900 [0134.107] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x48) returned 0x27b030 [0134.107] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x28) returned 0x2779a0 [0134.107] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x1a) returned 0x2779d0 [0134.107] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x34) returned 0x27e940 [0134.107] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x5c) returned 0x27f9e0 [0134.107] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x32) returned 0x27e980 [0134.107] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x2e) returned 0x27e9c0 [0134.107] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x1c) returned 0x277a00 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x19c) returned 0x27fa50 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x7c) returned 0x27fc00 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x3a) returned 0x27b080 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x90) returned 0x27fc90 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x24) returned 0x277a30 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x30) returned 0x27ea00 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x36) returned 0x27ea40 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x3c) returned 0x27b0d0 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x52) returned 0x27fd30 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x3c) returned 0x27b120 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0xd6) returned 0x27fd90 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x2e) returned 0x27ea80 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x1e) returned 0x277a60 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x2c) returned 0x27eac0 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x54) returned 0x27fe70 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x52) returned 0x27fed0 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x2c) returned 0x27eb00 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x26) returned 0x277a90 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x3e) returned 0x27b170 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x24) returned 0x277ac0 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x30) returned 0x27eb40 [0134.108] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x8c) returned 0x27ff30 [0134.109] HeapFree (in: hHeap=0x260000, dwFlags=0x0, lpMem=0x280380 | out: hHeap=0x260000) returned 1 [0134.109] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x8, Size=0x1000) returned 0x280fb0 [0134.109] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0134.110] GetStartupInfoW (in: lpStartupInfo=0x1cf880 | out: lpStartupInfo=0x1cf880*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0134.110] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"iexplore.exe\"" [0134.110] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"iexplore.exe\"", pNumArgs=0x1cf850 | out: pNumArgs=0x1cf850) returned 0x280450*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0134.110] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0134.173] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1000) returned 0x2840a0 [0134.173] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x12) returned 0x280e80 [0134.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="FPH732n7", cchWideChar=-1, lpMultiByteStr=0x280e80, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FPH732n7", lpUsedDefaultChar=0x0) returned 9 [0134.173] GetLastError () returned 0x0 [0134.173] SetLastError (dwErrCode=0x0) [0134.174] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7W") returned 0x0 [0134.174] GetLastError () returned 0x7f [0134.174] SetLastError (dwErrCode=0x7f) [0134.174] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7A") returned 0x0 [0134.174] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7") returned 0x7fef2eb1cf0 [0134.174] RtlAllocateHeap (HeapHandle=0x260000, Flags=0x0, Size=0x1a) returned 0x277b50 [0134.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iexplore.exe", cchWideChar=-1, lpMultiByteStr=0x277b50, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iexplore.exe", lpUsedDefaultChar=0x0) returned 13 [0134.175] GetActiveWindow () returned 0x0 [0134.379] GetLastError () returned 0x7f [0134.379] SetLastError (dwErrCode=0x7f) Process: id = "42" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x3a390000" os_pid = "0x4bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"iexplore.exe\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2975 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2976 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2977 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2978 start_va = 0x210000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 2979 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2980 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2981 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2982 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 2983 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2984 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2985 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2986 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2987 start_va = 0x50000 end_va = 0x15ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2988 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2989 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2990 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2991 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2992 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2993 start_va = 0x160000 end_va = 0x1c6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2994 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2995 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2996 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2997 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2998 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2999 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3000 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3001 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3008 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3009 start_va = 0x310000 end_va = 0x35ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 3010 start_va = 0x360000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 3011 start_va = 0x1d0000 end_va = 0x1f8fff monitored = 0 entry_point = 0x1d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3012 start_va = 0x460000 end_va = 0x5e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 3013 start_va = 0x1d0000 end_va = 0x1f8fff monitored = 0 entry_point = 0x1d1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3014 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3015 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3088 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3089 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3090 start_va = 0x60000 end_va = 0x15ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3091 start_va = 0x5f0000 end_va = 0x770fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 3092 start_va = 0x780000 end_va = 0x1b7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 3097 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 3098 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 3099 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3100 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3101 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3413 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 3414 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Thread: id = 183 os_tid = 0x480 [0139.238] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fd98 | out: lpSystemTimeAsFileTime=0x30fd98*(dwLowDateTime=0x432ceea0, dwHighDateTime=0x1d937fd)) [0139.238] GetCurrentThreadId () returned 0x480 [0139.238] GetCurrentProcessId () returned 0x4bc [0139.238] QueryPerformanceCounter (in: lpPerformanceCount=0x30fda0 | out: lpPerformanceCount=0x30fda0*=3329473654710) returned 1 [0139.239] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0139.242] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0139.242] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0139.243] GetLastError () returned 0x7e [0139.243] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0139.243] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0139.243] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0139.244] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0139.244] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0139.245] GetProcessHeap () returned 0x60000 [0139.245] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0139.245] GetLastError () returned 0x7e [0139.245] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0139.245] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0139.245] GetLastError () returned 0x7e [0139.246] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0139.246] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0139.246] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x3c8) returned 0x7cfb0 [0139.246] SetLastError (dwErrCode=0x7e) [0139.246] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x1200) returned 0x7d380 [0139.249] GetStartupInfoW (in: lpStartupInfo=0x30fc70 | out: lpStartupInfo=0x30fc70*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x30fcf8, hStdError=0x1)) [0139.249] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0139.249] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0139.249] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0139.249] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"iexplore.exe\"" [0139.249] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"iexplore.exe\"" [0139.249] GetACP () returned 0x4e4 [0139.250] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x0, Size=0x228) returned 0x7ab90 [0139.250] IsValidCodePage (CodePage=0x4e4) returned 1 [0139.250] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x30fc30 | out: lpCPInfo=0x30fc30) returned 1 [0139.250] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x30f4d0 | out: lpCPInfo=0x30f4d0) returned 1 [0139.250] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x30f4f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0139.250] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x30f4f0, cbMultiByte=256, lpWideCharStr=0x30f220, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0139.250] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x30f7f0 | out: lpCharType=0x30f7f0) returned 1 [0139.250] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x30f4f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0139.250] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x30f4f0, cbMultiByte=256, lpWideCharStr=0x30f1c0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0139.250] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0139.250] GetLastError () returned 0x7e [0139.250] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0139.251] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0139.251] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x30efb0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0139.251] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x30f5f0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«\x07", lpUsedDefaultChar=0x0) returned 256 [0139.251] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x30f4f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0139.251] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x30f4f0, cbMultiByte=256, lpWideCharStr=0x30f1c0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0139.251] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0139.251] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x30efb0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0139.251] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x30f6f0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0139.252] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x0, Size=0x100) returned 0x7f590 [0139.252] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0139.252] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x194) returned 0x7f6a0 [0139.252] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0139.252] GetLastError () returned 0x0 [0139.252] SetLastError (dwErrCode=0x0) [0139.252] GetEnvironmentStringsW () returned 0x7f840* [0139.252] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x0, Size=0xb32) returned 0x80380 [0139.252] FreeEnvironmentStringsW (penv=0x7f840) returned 1 [0139.252] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x128) returned 0x7f840 [0139.252] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x3e) returned 0x7afe0 [0139.252] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x56) returned 0x7adc0 [0139.252] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x62) returned 0x80ec0 [0139.252] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x78) returned 0x80f30 [0139.252] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x62) returned 0x7f970 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x30) returned 0x7e900 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x48) returned 0x7b030 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x28) returned 0x779a0 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x1a) returned 0x779d0 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x34) returned 0x7e940 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x5c) returned 0x7f9e0 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x32) returned 0x7e980 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x2e) returned 0x7e9c0 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x1c) returned 0x77a00 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x19c) returned 0x7fa50 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x7c) returned 0x7fc00 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x3a) returned 0x7b080 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x90) returned 0x7fc90 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x24) returned 0x77a30 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x30) returned 0x7ea00 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x36) returned 0x7ea40 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x3c) returned 0x7b0d0 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x52) returned 0x7fd30 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x3c) returned 0x7b120 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0xd6) returned 0x7fd90 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x2e) returned 0x7ea80 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x1e) returned 0x77a60 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x2c) returned 0x7eac0 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x54) returned 0x7fe70 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x52) returned 0x7fed0 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x2c) returned 0x7eb00 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x26) returned 0x77a90 [0139.253] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x3e) returned 0x7b170 [0139.254] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x24) returned 0x77ac0 [0139.254] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x30) returned 0x7eb40 [0139.254] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x8c) returned 0x7ff30 [0139.254] HeapFree (in: hHeap=0x60000, dwFlags=0x0, lpMem=0x80380 | out: hHeap=0x60000) returned 1 [0139.254] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x8, Size=0x1000) returned 0x80fb0 [0139.255] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0139.255] GetStartupInfoW (in: lpStartupInfo=0x30fd00 | out: lpStartupInfo=0x30fd00*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0139.255] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"iexplore.exe\"" [0139.255] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"iexplore.exe\"", pNumArgs=0x30fcd0 | out: pNumArgs=0x30fcd0) returned 0x80450*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0139.256] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0139.265] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x0, Size=0x1000) returned 0x840a0 [0139.265] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x0, Size=0x12) returned 0x80e80 [0139.265] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="KlXWgB9j", cchWideChar=-1, lpMultiByteStr=0x80e80, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="KlXWgB9j", lpUsedDefaultChar=0x0) returned 9 [0139.266] GetLastError () returned 0x0 [0139.266] SetLastError (dwErrCode=0x0) [0139.266] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9jW") returned 0x0 [0139.266] GetLastError () returned 0x7f [0139.266] SetLastError (dwErrCode=0x7f) [0139.266] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9jA") returned 0x0 [0139.266] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9j") returned 0x7fef2eb0010 [0139.266] RtlAllocateHeap (HeapHandle=0x60000, Flags=0x0, Size=0x1a) returned 0x77b50 [0139.266] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iexplore.exe", cchWideChar=-1, lpMultiByteStr=0x77b50, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iexplore.exe", lpUsedDefaultChar=0x0) returned 13 [0139.266] GetActiveWindow () returned 0x0 [0139.269] GetLastError () returned 0x7f [0139.269] SetLastError (dwErrCode=0x7f) Process: id = "43" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x378a5000" os_pid = "0x3bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"iexplore.exe\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3024 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3025 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3026 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3027 start_va = 0x110000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 3028 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3029 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3030 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3031 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 3032 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3033 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3034 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 3035 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 3036 start_va = 0x210000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 3037 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3038 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3039 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3040 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3041 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3042 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3043 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3044 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3045 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3046 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3047 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3048 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3049 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3050 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3051 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3052 start_va = 0x210000 end_va = 0x33ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 3053 start_va = 0x350000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 3054 start_va = 0x210000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 3055 start_va = 0x330000 end_va = 0x33ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 3056 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3057 start_va = 0x450000 end_va = 0x5d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 3058 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3059 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3060 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3132 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3133 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 3134 start_va = 0x5e0000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 3135 start_va = 0x770000 end_va = 0x1b6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 3142 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 3143 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 3144 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3145 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 3146 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3411 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 3412 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Thread: id = 186 os_tid = 0x3b4 [0139.748] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fbd8 | out: lpSystemTimeAsFileTime=0x20fbd8*(dwLowDateTime=0x43660000, dwHighDateTime=0x1d937fd)) [0139.749] GetCurrentThreadId () returned 0x3b4 [0139.749] GetCurrentProcessId () returned 0x3bc [0139.749] QueryPerformanceCounter (in: lpPerformanceCount=0x20fbe0 | out: lpPerformanceCount=0x20fbe0*=3329524677153) returned 1 [0139.752] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0139.763] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0139.763] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0139.764] GetLastError () returned 0x7e [0139.764] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0139.764] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0139.764] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0139.765] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0139.767] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0139.768] GetProcessHeap () returned 0x350000 [0139.769] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0139.769] GetLastError () returned 0x7e [0139.769] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0139.769] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0139.769] GetLastError () returned 0x7e [0139.769] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0139.769] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0139.770] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x3c8) returned 0x36cfb0 [0139.770] SetLastError (dwErrCode=0x7e) [0139.770] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x1200) returned 0x36d380 [0139.773] GetStartupInfoW (in: lpStartupInfo=0x20fab0 | out: lpStartupInfo=0x20fab0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x20fb38, hStdError=0x1)) [0139.773] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0139.773] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0139.773] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0139.773] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"iexplore.exe\"" [0139.773] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"iexplore.exe\"" [0139.773] GetACP () returned 0x4e4 [0139.774] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x228) returned 0x36ab90 [0139.774] IsValidCodePage (CodePage=0x4e4) returned 1 [0139.774] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x20fa70 | out: lpCPInfo=0x20fa70) returned 1 [0139.774] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x20f310 | out: lpCPInfo=0x20f310) returned 1 [0139.774] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f330, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0139.774] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f330, cbMultiByte=256, lpWideCharStr=0x20f060, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0139.774] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x20f630 | out: lpCharType=0x20f630) returned 1 [0139.774] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f330, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0139.774] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f330, cbMultiByte=256, lpWideCharStr=0x20f000, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0139.774] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0139.774] GetLastError () returned 0x7e [0139.775] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0139.775] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0139.775] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x20edf0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0139.775] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x20f430, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«6", lpUsedDefaultChar=0x0) returned 256 [0139.775] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f330, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0139.775] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x20f330, cbMultiByte=256, lpWideCharStr=0x20f000, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0139.777] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0139.777] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x20edf0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0139.777] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x20f530, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0139.777] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x100) returned 0x36f590 [0139.777] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0139.777] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x192) returned 0x36f6a0 [0139.777] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0139.777] GetLastError () returned 0x0 [0139.777] SetLastError (dwErrCode=0x0) [0139.777] GetEnvironmentStringsW () returned 0x36f840* [0139.778] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0xb32) returned 0x370380 [0139.778] FreeEnvironmentStringsW (penv=0x36f840) returned 1 [0139.778] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x128) returned 0x36f840 [0139.778] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x3e) returned 0x36afe0 [0139.778] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x56) returned 0x36adc0 [0139.778] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x62) returned 0x370ec0 [0139.778] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x78) returned 0x370f30 [0139.778] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x62) returned 0x36f970 [0139.778] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x30) returned 0x36e900 [0139.778] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x48) returned 0x36b030 [0139.778] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x28) returned 0x3679a0 [0139.778] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x1a) returned 0x3679d0 [0139.778] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x34) returned 0x36e940 [0139.778] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x5c) returned 0x36f9e0 [0139.778] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x32) returned 0x36e980 [0139.778] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x2e) returned 0x36e9c0 [0139.778] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x1c) returned 0x367a00 [0139.778] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x19c) returned 0x36fa50 [0139.778] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x7c) returned 0x36fc00 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x3a) returned 0x36b080 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x90) returned 0x36fc90 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x24) returned 0x367a30 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x30) returned 0x36ea00 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x36) returned 0x36ea40 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x3c) returned 0x36b0d0 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x52) returned 0x36fd30 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x3c) returned 0x36b120 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0xd6) returned 0x36fd90 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x2e) returned 0x36ea80 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x1e) returned 0x367a60 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x2c) returned 0x36eac0 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x54) returned 0x36fe70 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x52) returned 0x36fed0 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x2c) returned 0x36eb00 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x26) returned 0x367a90 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x3e) returned 0x36b170 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x24) returned 0x367ac0 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x30) returned 0x36eb40 [0139.779] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x8c) returned 0x36ff30 [0139.780] HeapFree (in: hHeap=0x350000, dwFlags=0x0, lpMem=0x370380 | out: hHeap=0x350000) returned 1 [0139.780] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x8, Size=0x1000) returned 0x370fb0 [0139.781] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0139.781] GetStartupInfoW (in: lpStartupInfo=0x20fb40 | out: lpStartupInfo=0x20fb40*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0139.781] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"iexplore.exe\"" [0139.781] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"iexplore.exe\"", pNumArgs=0x20fb10 | out: pNumArgs=0x20fb10) returned 0x370450*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0139.781] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0139.820] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x1000) returned 0x3740a0 [0139.820] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x10) returned 0x370e80 [0139.820] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="LKKIJ77", cchWideChar=-1, lpMultiByteStr=0x370e80, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LKKIJ77", lpUsedDefaultChar=0x0) returned 8 [0139.821] GetLastError () returned 0x0 [0139.821] SetLastError (dwErrCode=0x0) [0139.821] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77W") returned 0x0 [0139.822] GetLastError () returned 0x7f [0139.822] SetLastError (dwErrCode=0x7f) [0139.822] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77A") returned 0x0 [0139.822] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77") returned 0x7fef2ea6420 [0139.822] RtlAllocateHeap (HeapHandle=0x350000, Flags=0x0, Size=0x1a) returned 0x367b50 [0139.822] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iexplore.exe", cchWideChar=-1, lpMultiByteStr=0x367b50, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iexplore.exe", lpUsedDefaultChar=0x0) returned 13 [0139.822] GetActiveWindow () returned 0x0 [0139.824] GetLastError () returned 0x7f [0139.824] SetLastError (dwErrCode=0x7f) Process: id = "44" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x38ab1000" os_pid = "0xb78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"iexplore.exe\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3102 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3103 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3104 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3105 start_va = 0x1f0000 end_va = 0x2effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3106 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3107 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3108 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3109 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 3110 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3111 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3112 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 3113 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3114 start_va = 0x2f0000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 3115 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3116 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3117 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3118 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3119 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3120 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3121 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3122 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3123 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3124 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3125 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3126 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3127 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3128 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3129 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3130 start_va = 0x570000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 3131 start_va = 0xc0000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 3136 start_va = 0x1c0000 end_va = 0x1e8fff monitored = 0 entry_point = 0x1c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3137 start_va = 0x570000 end_va = 0x6f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 3138 start_va = 0x700000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 3139 start_va = 0x1c0000 end_va = 0x1e8fff monitored = 0 entry_point = 0x1c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3140 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3141 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3179 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3180 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3181 start_va = 0x710000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 3182 start_va = 0x8a0000 end_va = 0x1c9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 3188 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 3189 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 3190 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3191 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3192 start_va = 0x2f0000 end_va = 0x2f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 3193 start_va = 0x470000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Thread: id = 192 os_tid = 0x784 [0140.369] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2efa38 | out: lpSystemTimeAsFileTime=0x2efa38*(dwLowDateTime=0x43c1dba0, dwHighDateTime=0x1d937fd)) [0140.369] GetCurrentThreadId () returned 0x784 [0140.369] GetCurrentProcessId () returned 0xb78 [0140.369] QueryPerformanceCounter (in: lpPerformanceCount=0x2efa40 | out: lpPerformanceCount=0x2efa40*=3329586723734) returned 1 [0140.370] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0140.374] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0140.374] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0140.374] GetLastError () returned 0x7e [0140.374] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0140.374] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0140.375] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0140.376] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0140.376] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0140.377] GetProcessHeap () returned 0x470000 [0140.377] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0140.377] GetLastError () returned 0x7e [0140.377] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0140.378] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0140.378] GetLastError () returned 0x7e [0140.378] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0140.378] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0140.378] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x3c8) returned 0x48cfb0 [0140.379] SetLastError (dwErrCode=0x7e) [0140.379] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1200) returned 0x48d380 [0140.382] GetStartupInfoW (in: lpStartupInfo=0x2ef910 | out: lpStartupInfo=0x2ef910*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x2ef998, hStdError=0x1)) [0140.382] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0140.382] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0140.382] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0140.382] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"iexplore.exe\"" [0140.382] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"iexplore.exe\"" [0140.382] GetACP () returned 0x4e4 [0140.382] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x228) returned 0x48ab90 [0140.382] IsValidCodePage (CodePage=0x4e4) returned 1 [0140.382] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2ef8d0 | out: lpCPInfo=0x2ef8d0) returned 1 [0140.382] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x2ef170 | out: lpCPInfo=0x2ef170) returned 1 [0140.382] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ef190, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0140.383] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ef190, cbMultiByte=256, lpWideCharStr=0x2eeec0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0140.383] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x2ef490 | out: lpCharType=0x2ef490) returned 1 [0140.383] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ef190, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0140.383] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ef190, cbMultiByte=256, lpWideCharStr=0x2eee60, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0140.383] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0140.383] GetLastError () returned 0x7e [0140.383] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0140.384] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0140.384] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2eec50, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0140.384] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x2ef290, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90«H", lpUsedDefaultChar=0x0) returned 256 [0140.384] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ef190, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0140.384] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x2ef190, cbMultiByte=256, lpWideCharStr=0x2eee60, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0140.384] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0140.385] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x2eec50, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0140.385] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x2ef390, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0140.385] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100) returned 0x48f590 [0140.385] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0140.385] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x198) returned 0x48f6a0 [0140.385] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0140.385] GetLastError () returned 0x0 [0140.385] SetLastError (dwErrCode=0x0) [0140.385] GetEnvironmentStringsW () returned 0x48f840* [0140.387] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xb32) returned 0x490380 [0140.387] FreeEnvironmentStringsW (penv=0x48f840) returned 1 [0140.387] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x128) returned 0x48f840 [0140.387] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x3e) returned 0x48afe0 [0140.387] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x56) returned 0x48adc0 [0140.387] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x62) returned 0x490ec0 [0140.387] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x78) returned 0x490f30 [0140.387] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x62) returned 0x48f970 [0140.387] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x30) returned 0x48e900 [0140.387] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x48) returned 0x48b030 [0140.387] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x28) returned 0x4879a0 [0140.387] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1a) returned 0x4879d0 [0140.387] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x34) returned 0x48e940 [0140.387] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x5c) returned 0x48f9e0 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x32) returned 0x48e980 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2e) returned 0x48e9c0 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1c) returned 0x487a00 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x19c) returned 0x48fa50 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x7c) returned 0x48fc00 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x3a) returned 0x48b080 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x90) returned 0x48fc90 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x24) returned 0x487a30 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x30) returned 0x48ea00 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x36) returned 0x48ea40 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x3c) returned 0x48b0d0 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x52) returned 0x48fd30 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x3c) returned 0x48b120 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0xd6) returned 0x48fd90 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2e) returned 0x48ea80 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1e) returned 0x487a60 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2c) returned 0x48eac0 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x54) returned 0x48fe70 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x52) returned 0x48fed0 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x2c) returned 0x48eb00 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x26) returned 0x487a90 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x3e) returned 0x48b170 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x24) returned 0x487ac0 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x30) returned 0x48eb40 [0140.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x8c) returned 0x48ff30 [0140.390] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x490380 | out: hHeap=0x470000) returned 1 [0140.390] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x8, Size=0x1000) returned 0x490fb0 [0140.390] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0140.390] GetStartupInfoW (in: lpStartupInfo=0x2ef9a0 | out: lpStartupInfo=0x2ef9a0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0140.390] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"iexplore.exe\"" [0140.391] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"iexplore.exe\"", pNumArgs=0x2ef970 | out: pNumArgs=0x2ef970) returned 0x490450*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0140.391] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0140.411] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1000) returned 0x4940a0 [0140.411] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x16) returned 0x490e80 [0140.411] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="MMlFUh3Tzt", cchWideChar=-1, lpMultiByteStr=0x490e80, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MMlFUh3Tzt", lpUsedDefaultChar=0x0) returned 11 [0140.411] GetLastError () returned 0x0 [0140.411] SetLastError (dwErrCode=0x0) [0140.412] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3TztW") returned 0x0 [0140.412] GetLastError () returned 0x7f [0140.412] SetLastError (dwErrCode=0x7f) [0140.412] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3TztA") returned 0x0 [0140.412] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3Tzt") returned 0x7fef2eb0cf0 [0140.412] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1a) returned 0x487b50 [0140.412] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iexplore.exe", cchWideChar=-1, lpMultiByteStr=0x487b50, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iexplore.exe", lpUsedDefaultChar=0x0) returned 13 [0140.413] GetActiveWindow () returned 0x0 [0140.414] GetLastError () returned 0x7f [0140.414] SetLastError (dwErrCode=0x7f) Process: id = "45" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x388bd000" os_pid = "0xaec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"%Temp%\\IXP000.TMP\\\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3148 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3149 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3150 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3151 start_va = 0x50000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3152 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3153 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3154 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3155 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 3156 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3157 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3158 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 3159 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 3160 start_va = 0x150000 end_va = 0x29ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3161 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3162 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3163 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3164 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3165 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3166 start_va = 0x2a0000 end_va = 0x306fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3167 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3168 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3169 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3170 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3171 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3172 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3173 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3174 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3175 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3176 start_va = 0x150000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3177 start_va = 0x1a0000 end_va = 0x29ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 3178 start_va = 0x310000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 3183 start_va = 0x170000 end_va = 0x198fff monitored = 0 entry_point = 0x171010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3184 start_va = 0x410000 end_va = 0x597fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 3185 start_va = 0x170000 end_va = 0x198fff monitored = 0 entry_point = 0x171010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3186 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3187 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3225 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3226 start_va = 0x150000 end_va = 0x150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3227 start_va = 0x160000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 3228 start_va = 0x5a0000 end_va = 0x720fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 3229 start_va = 0x730000 end_va = 0x1b2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 3236 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 3237 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 3238 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 3297 start_va = 0x1b30000 end_va = 0x1badfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b30000" filename = "" Region: id = 3298 start_va = 0x1bb0000 end_va = 0x1d07fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001bb0000" filename = "" Region: id = 3299 start_va = 0x1d10000 end_va = 0x1e70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d10000" filename = "" Region: id = 3300 start_va = 0x7fefd2c0000 end_va = 0x7fefd42cfff monitored = 0 entry_point = 0x7fefd2c10b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3301 start_va = 0x7fefd270000 end_va = 0x7fefd27efff monitored = 0 entry_point = 0x7fefd271020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3302 start_va = 0x7fefd060000 end_va = 0x7fefd06afff monitored = 0 entry_point = 0x7fefd061030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3303 start_va = 0x7fefd090000 end_va = 0x7fefd0b4fff monitored = 0 entry_point = 0x7fefd099658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3304 start_va = 0x7feff060000 end_va = 0x7feff13afff monitored = 0 entry_point = 0x7feff080760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3305 start_va = 0x7feff1e0000 end_va = 0x7feff1fefff monitored = 0 entry_point = 0x7feff1e60e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3306 start_va = 0x7feff2d0000 end_va = 0x7feff3a6fff monitored = 0 entry_point = 0x7feff2d3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3307 start_va = 0x7fefabb0000 end_va = 0x7fefabc7fff monitored = 0 entry_point = 0x7fefabb1010 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 3308 start_va = 0x7fefacc0000 end_va = 0x7feface6fff monitored = 0 entry_point = 0x7fefacc98bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 3309 start_va = 0x7fefed70000 end_va = 0x7fefed77fff monitored = 0 entry_point = 0x7fefed71504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3310 start_va = 0x7fefacb0000 end_va = 0x7fefacbafff monitored = 0 entry_point = 0x7fefacb1198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 3311 start_va = 0x7fefb550000 end_va = 0x7fefb560fff monitored = 0 entry_point = 0x7fefb551070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3312 start_va = 0x7feff280000 end_va = 0x7feff2ccfff monitored = 0 entry_point = 0x7feff281070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3313 start_va = 0x1e80000 end_va = 0x1feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e80000" filename = "" Region: id = 3345 start_va = 0x1ff0000 end_va = 0x22befff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3346 start_va = 0x2380000 end_va = 0x247ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002380000" filename = "" Region: id = 3347 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 3348 start_va = 0x1e80000 end_va = 0x1efcfff monitored = 0 entry_point = 0x1e8cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3349 start_va = 0x1f70000 end_va = 0x1feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 3350 start_va = 0x1e80000 end_va = 0x1efcfff monitored = 0 entry_point = 0x1e8cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3351 start_va = 0x7fefd0c0000 end_va = 0x7fefd0cefff monitored = 0 entry_point = 0x7fefd0c1010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3418 start_va = 0x2660000 end_va = 0x275ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002660000" filename = "" Region: id = 3419 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 3420 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 3421 start_va = 0x7feff140000 end_va = 0x7feff1d8fff monitored = 0 entry_point = 0x7feff141c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3422 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3423 start_va = 0x7fef9520000 end_va = 0x7fef952dfff monitored = 0 entry_point = 0x7fef9525500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 3424 start_va = 0x7fef97c0000 end_va = 0x7fef9836fff monitored = 0 entry_point = 0x7fef97fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 3425 start_va = 0x7fefcc30000 end_va = 0x7fefcc51fff monitored = 0 entry_point = 0x7fefcc35d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 3426 start_va = 0x27b0000 end_va = 0x28affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027b0000" filename = "" Region: id = 3427 start_va = 0x7fefcac0000 end_va = 0x7fefcad7fff monitored = 0 entry_point = 0x7fefcac3b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3428 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 3429 start_va = 0x1e80000 end_va = 0x1ec4fff monitored = 0 entry_point = 0x1e81064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3430 start_va = 0x1e80000 end_va = 0x1ec4fff monitored = 0 entry_point = 0x1e81064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3431 start_va = 0x1e80000 end_va = 0x1ec4fff monitored = 0 entry_point = 0x1e81064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3432 start_va = 0x1e80000 end_va = 0x1ec4fff monitored = 0 entry_point = 0x1e81064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3433 start_va = 0x1e80000 end_va = 0x1ec4fff monitored = 0 entry_point = 0x1e81064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3434 start_va = 0x7fefc7c0000 end_va = 0x7fefc806fff monitored = 0 entry_point = 0x7fefc7c1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3435 start_va = 0x7fefd1b0000 end_va = 0x7fefd1c3fff monitored = 0 entry_point = 0x7fefd1b10e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3436 start_va = 0x2900000 end_va = 0x29fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 3437 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 3438 start_va = 0x2a50000 end_va = 0x2b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a50000" filename = "" Region: id = 3439 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 3440 start_va = 0x7fef9240000 end_va = 0x7fef9252fff monitored = 0 entry_point = 0x7fef9241d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 3441 start_va = 0x7fef9560000 end_va = 0x7fef9632fff monitored = 0 entry_point = 0x7fef95d8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 3442 start_va = 0x7fef9530000 end_va = 0x7fef9556fff monitored = 0 entry_point = 0x7fef95311a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 3443 start_va = 0x1e80000 end_va = 0x1e82fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e80000" filename = "" Thread: id = 194 os_tid = 0x698 [0140.916] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14f998 | out: lpSystemTimeAsFileTime=0x14f998*(dwLowDateTime=0x441216b0, dwHighDateTime=0x1d937fd)) [0140.916] GetCurrentThreadId () returned 0x698 [0140.916] GetCurrentProcessId () returned 0xaec [0140.916] QueryPerformanceCounter (in: lpPerformanceCount=0x14f9a0 | out: lpPerformanceCount=0x14f9a0*=3329867736070) returned 1 [0140.917] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0140.919] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0140.919] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0140.920] GetLastError () returned 0x7e [0140.920] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0140.920] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0140.920] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0140.921] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0140.921] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0140.922] GetProcessHeap () returned 0x1a0000 [0140.922] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0140.922] GetLastError () returned 0x7e [0140.922] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0140.922] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0140.922] GetLastError () returned 0x7e [0140.922] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0140.923] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0140.923] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x3c8) returned 0x1bcfd0 [0140.923] SetLastError (dwErrCode=0x7e) [0140.923] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x1200) returned 0x1bd3a0 [0140.925] GetStartupInfoW (in: lpStartupInfo=0x14f870 | out: lpStartupInfo=0x14f870*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x14f8f8, hStdError=0x1)) [0140.926] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0140.926] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0140.926] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0140.926] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"%Temp%\\IXP000.TMP\\\"" [0140.926] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"%Temp%\\IXP000.TMP\\\"" [0140.926] GetACP () returned 0x4e4 [0140.926] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x228) returned 0x1babb0 [0140.926] IsValidCodePage (CodePage=0x4e4) returned 1 [0140.926] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x14f830 | out: lpCPInfo=0x14f830) returned 1 [0140.926] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x14f0d0 | out: lpCPInfo=0x14f0d0) returned 1 [0140.926] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f0f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0140.926] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f0f0, cbMultiByte=256, lpWideCharStr=0x14ee20, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0140.926] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x14f3f0 | out: lpCharType=0x14f3f0) returned 1 [0140.927] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f0f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0140.927] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f0f0, cbMultiByte=256, lpWideCharStr=0x14edc0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0140.927] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0140.927] GetLastError () returned 0x7e [0140.927] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0140.927] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0140.928] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x14ebb0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0140.928] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x14f1f0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ°«\x1b", lpUsedDefaultChar=0x0) returned 256 [0140.928] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f0f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0140.928] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f0f0, cbMultiByte=256, lpWideCharStr=0x14edc0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0140.928] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0140.928] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x14ebb0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0140.928] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x14f2f0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0140.928] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x100) returned 0x1bf5b0 [0140.928] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0140.928] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x1a4) returned 0x1bf6c0 [0140.928] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0140.928] GetLastError () returned 0x0 [0140.928] SetLastError (dwErrCode=0x0) [0140.928] GetEnvironmentStringsW () returned 0x1bf870* [0140.929] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0xb32) returned 0x1c03b0 [0140.929] FreeEnvironmentStringsW (penv=0x1bf870) returned 1 [0140.929] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x128) returned 0x1bf870 [0140.929] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x3e) returned 0x1bb000 [0140.929] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x56) returned 0x1bade0 [0140.929] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x62) returned 0x1c0ef0 [0140.929] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x78) returned 0x1bf9a0 [0140.929] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x62) returned 0x1c0f60 [0140.929] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x30) returned 0x1be920 [0140.929] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x48) returned 0x1bb050 [0140.929] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x28) returned 0x1b79c0 [0140.929] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x1a) returned 0x1b79f0 [0140.929] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x34) returned 0x1be960 [0140.929] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x5c) returned 0x1bfa20 [0140.929] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x32) returned 0x1be9a0 [0140.929] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x2e) returned 0x1be9e0 [0140.929] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x1c) returned 0x1b7a20 [0140.929] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x19c) returned 0x1bfa90 [0140.929] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x7c) returned 0x1bfc40 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x3a) returned 0x1bb0a0 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x90) returned 0x1bfcd0 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x24) returned 0x1b7a50 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x30) returned 0x1bea20 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x36) returned 0x1bea60 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x3c) returned 0x1bb0f0 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x52) returned 0x1bfd70 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x3c) returned 0x1bb140 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0xd6) returned 0x1bfdd0 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x2e) returned 0x1beaa0 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x1e) returned 0x1b7a80 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x2c) returned 0x1beae0 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x54) returned 0x1bfeb0 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x52) returned 0x1bff10 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x2c) returned 0x1beb20 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x26) returned 0x1b7ab0 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x3e) returned 0x1bb190 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x24) returned 0x1b7ae0 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x30) returned 0x1beb60 [0140.930] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x8c) returned 0x1bff70 [0140.931] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c03b0 | out: hHeap=0x1a0000) returned 1 [0140.931] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x1000) returned 0x1c0fd0 [0140.931] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0140.932] GetStartupInfoW (in: lpStartupInfo=0x14f900 | out: lpStartupInfo=0x14f900*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0140.932] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"%Temp%\\IXP000.TMP\\\"" [0140.932] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"%Temp%\\IXP000.TMP\\\"", pNumArgs=0x14f8d0 | out: pNumArgs=0x14f8d0) returned 0x1c0490*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0140.932] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0140.938] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x1000) returned 0x1c40c0 [0140.938] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x16) returned 0x1c0ed0 [0140.938] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Cpurthnvlc", cchWideChar=-1, lpMultiByteStr=0x1c0ed0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Cpurthnvlc", lpUsedDefaultChar=0x0) returned 11 [0140.939] GetLastError () returned 0x0 [0140.939] SetLastError (dwErrCode=0x0) [0140.939] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="CpurthnvlcW") returned 0x0 [0140.939] GetLastError () returned 0x7f [0140.939] SetLastError (dwErrCode=0x7f) [0140.939] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="CpurthnvlcA") returned 0x0 [0140.939] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="Cpurthnvlc") returned 0x7fef2ea5970 [0140.939] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x26) returned 0x1b7b70 [0140.939] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="%Temp%\\IXP000.TMP\"", cchWideChar=-1, lpMultiByteStr=0x1b7b70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="%Temp%\\IXP000.TMP\"", lpUsedDefaultChar=0x0) returned 19 [0140.940] GetActiveWindow () returned 0x0 [0147.795] VirtualAlloc (lpAddress=0x0, dwSize=0x7e000, flAllocationType=0x3000, flProtect=0x40) returned 0x1b30000 [0147.857] GetProcAddress (hModule=0x77160000, lpProcName="ExitProcess") returned 0x772a40f0 [0147.858] GetProcAddress (hModule=0x77160000, lpProcName="LoadLibraryW") returned 0x77176420 [0147.858] LoadLibraryW (lpLibFileName="ntdll.dll") returned 0x77280000 [0147.858] GetProcAddress (hModule=0x77280000, lpProcName="NtMapViewOfSection") returned 0x772d1590 [0147.858] GetProcAddress (hModule=0x77280000, lpProcName="NtOpenFile") returned 0x772d1640 [0147.858] GetProcAddress (hModule=0x77280000, lpProcName="NtOpenSection") returned 0x772d1680 [0147.858] GetProcAddress (hModule=0x77280000, lpProcName="NtCreateSection") returned 0x772d17b0 [0147.858] GetProcAddress (hModule=0x77160000, lpProcName="VirtualProtect") returned 0x771629f0 [0147.858] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentThreadId") returned 0x77173380 [0147.858] GetProcAddress (hModule=0x77160000, lpProcName="GetModuleFileNameA") returned 0x77175940 [0147.858] GetProcAddress (hModule=0x77160000, lpProcName="VirtualAlloc") returned 0x77175c40 [0147.859] GetProcAddress (hModule=0x77160000, lpProcName="GetProcessHeap") returned 0x77181a30 [0147.859] GetProcAddress (hModule=0x77160000, lpProcName="HeapAlloc") returned 0x772d33a0 [0147.859] GetProcAddress (hModule=0x77160000, lpProcName="HeapFree") returned 0x77181a50 [0147.859] GetModuleFileNameA (in: hModule=0x7fef2ea0000, lpFilename=0x14f5d0, nSize=0x104 | out: lpFilename="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll")) returned 0x62 [0147.948] VirtualAlloc (lpAddress=0x0, dwSize=0x158000, flAllocationType=0x3000, flProtect=0x4) returned 0x1bb0000 [0147.962] GetProcessHeap () returned 0x1a0000 [0147.962] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x3f80) returned 0x1c50d0 [0148.083] GetProcessHeap () returned 0x1a0000 [0148.083] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c50d0 | out: hHeap=0x1a0000) returned 1 [0148.083] GetCurrentThreadId () returned 0x698 [0148.083] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x14f494 | out: lpflOldProtect=0x14f494*=0x20) returned 1 [0148.084] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x14f494 | out: lpflOldProtect=0x14f494*=0x40) returned 1 [0148.084] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x14f494 | out: lpflOldProtect=0x14f494*=0x20) returned 1 [0148.084] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x14f494 | out: lpflOldProtect=0x14f494*=0x40) returned 1 [0148.084] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x14f494 | out: lpflOldProtect=0x14f494*=0x20) returned 1 [0148.085] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x14f494 | out: lpflOldProtect=0x14f494*=0x40) returned 1 [0148.085] LoadLibraryW (lpLibFileName="gdiplus.dll") returned 0x1d10000 [0148.085] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x14e304 | out: lpflOldProtect=0x14e304*=0x20) returned 1 [0148.086] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x14e304 | out: lpflOldProtect=0x14e304*=0x40) returned 1 [0148.086] NtOpenFile (in: FileHandle=0x14e3e8, DesiredAccess=0x100020, ObjectAttributes=0x14e438*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x14e468, ShareAccess=0x3, OpenOptions=0x21 | out: FileHandle=0x14e3e8*=0x70, IoStatusBlock=0x14e468*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0148.170] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x14e304 | out: lpflOldProtect=0x14e304*=0x20) returned 1 [0148.170] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x14e304 | out: lpflOldProtect=0x14e304*=0x40) returned 1 [0148.170] GetCurrentThreadId () returned 0x698 [0148.170] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x14efd4 | out: lpflOldProtect=0x14efd4*=0x20) returned 1 [0148.171] VirtualProtect (in: lpAddress=0x772d1640, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x14efd4 | out: lpflOldProtect=0x14efd4*=0x40) returned 1 [0148.171] NtOpenFile (in: FileHandle=0x14f0a0, DesiredAccess=0x100021, ObjectAttributes=0x14f158*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x14f188, ShareAccess=0x5, OpenOptions=0x60 | out: FileHandle=0x14f0a0*=0x74, IoStatusBlock=0x14f188*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0148.171] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x14efc4 | out: lpflOldProtect=0x14efc4*=0x20) returned 1 [0148.172] VirtualProtect (in: lpAddress=0x772d17b0, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x14efc4 | out: lpflOldProtect=0x14efc4*=0x40) returned 1 [0148.172] GetCurrentThreadId () returned 0x698 [0148.172] NtCreateSection (in: SectionHandle=0x14f0a8, DesiredAccess=0xf, ObjectAttributes=0x0, MaximumSize=0x0, SectionPageProtection=0x10, AllocationAttributes=0x1000000, FileHandle=0x74 | out: SectionHandle=0x14f0a8*=0x78) returned 0x0 [0148.172] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x40, lpflOldProtect=0x14ee54 | out: lpflOldProtect=0x14ee54*=0x20) returned 1 [0148.172] VirtualProtect (in: lpAddress=0x772d1590, dwSize=0xd, flNewProtect=0x20, lpflOldProtect=0x14ee54 | out: lpflOldProtect=0x14ee54*=0x40) returned 1 [0148.173] GetCurrentThreadId () returned 0x698 [0148.173] NtCreateSection (in: SectionHandle=0x14ef38, DesiredAccess=0xe, ObjectAttributes=0x0, MaximumSize=0x14ef30, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x14ef38*=0x7c) returned 0x0 [0148.173] NtMapViewOfSection (in: SectionHandle=0x7c, ProcessHandle=0xffffffffffffffff, BaseAddress=0x14eed8*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x14f0f8*=0x0, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x14eed8*=0x1d10000, SectionOffset=0x0, ViewSize=0x14f0f8*=0x161000) returned 0x0 [0148.340] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14efd8 | out: lpSystemTimeAsFileTime=0x14efd8*(dwLowDateTime=0x48661720, dwHighDateTime=0x1d937fd)) [0148.340] GetCurrentThreadId () returned 0x698 [0148.340] GetCurrentProcessId () returned 0xaec [0148.340] QueryPerformanceCounter (in: lpPerformanceCount=0x14efe0 | out: lpPerformanceCount=0x14efe0*=3330809688534) returned 1 [0148.473] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0148.474] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0148.474] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0148.474] GetLastError () returned 0x7e [0148.474] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0148.474] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0148.495] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0148.637] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0148.637] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0148.651] GetProcessHeap () returned 0x1a0000 [0148.664] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0148.664] GetLastError () returned 0x7e [0148.664] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0148.664] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0148.664] GetLastError () returned 0x7e [0148.664] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0148.679] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x3c8) returned 0x1d1aa0 [0148.680] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0148.710] SetLastError (dwErrCode=0x7e) [0148.759] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x1000) returned 0x1d1e70 [0148.761] GetStartupInfoW (in: lpStartupInfo=0x14ee60 | out: lpStartupInfo=0x14ee60*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x1)) [0148.761] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0148.761] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0148.762] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0148.781] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"%Temp%\\IXP000.TMP\\\"" [0148.781] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=Cpurthnvlc /fn_args=\"%Temp%\\IXP000.TMP\\\"" [0148.801] GetLastError () returned 0x7e [0148.801] SetLastError (dwErrCode=0x7e) [0148.801] GetLastError () returned 0x7e [0148.801] SetLastError (dwErrCode=0x7e) [0148.802] GetACP () returned 0x4e4 [0148.802] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x228) returned 0x1d3e80 [0148.802] IsValidCodePage (CodePage=0x4e4) returned 1 [0148.802] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x14ee30 | out: lpCPInfo=0x14ee30) returned 1 [0148.821] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x14e6d0 | out: lpCPInfo=0x14e6d0) returned 1 [0148.821] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14e6f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0148.821] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14e6f0, cbMultiByte=256, lpWideCharStr=0x14e420, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ\x1a") returned 256 [0148.821] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȰ\x1a", cchSrc=256, lpCharType=0x14e9f0 | out: lpCharType=0x14e9f0) returned 1 [0148.849] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14e6f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0148.849] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14e6f0, cbMultiByte=256, lpWideCharStr=0x14e3c0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0148.849] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0148.850] GetLastError () returned 0x7e [0148.850] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0148.850] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0148.850] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x14e1b0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0148.850] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x14e7f0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿX\x01\x1a", lpUsedDefaultChar=0x0) returned 256 [0148.850] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14e6f0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0148.850] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14e6f0, cbMultiByte=256, lpWideCharStr=0x14e3c0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0148.850] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0148.850] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x14e1b0, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0148.850] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x14e8f0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0148.850] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x100) returned 0x1d40b0 [0148.851] RtlInitializeSListHead (in: ListHead=0x1e58410 | out: ListHead=0x1e58410) [0148.905] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77160000 [0148.905] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0148.905] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0148.905] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0148.905] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0148.906] GetProcAddress (hModule=0x77160000, lpProcName="InitializeCriticalSectionEx") returned 0x77176e50 [0148.906] GetProcAddress (hModule=0x77160000, lpProcName="InitOnceExecuteOnce") returned 0x77165d60 [0148.906] GetProcAddress (hModule=0x77160000, lpProcName="CreateEventExW") returned 0x771ac970 [0148.906] GetProcAddress (hModule=0x77160000, lpProcName="CreateSemaphoreW") returned 0x77168e00 [0148.906] GetProcAddress (hModule=0x77160000, lpProcName="CreateSemaphoreExW") returned 0x771ac8a0 [0148.906] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolTimer") returned 0x77167e90 [0148.906] GetProcAddress (hModule=0x77160000, lpProcName="SetThreadpoolTimer") returned 0x7729b2f0 [0148.906] GetProcAddress (hModule=0x77160000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x7728d8c0 [0148.906] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolTimer") returned 0x7728d620 [0148.906] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolWait") returned 0x771abe60 [0148.907] GetProcAddress (hModule=0x77160000, lpProcName="SetThreadpoolWait") returned 0x7729e170 [0148.907] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolWait") returned 0x7728c540 [0148.907] GetProcAddress (hModule=0x77160000, lpProcName="FlushProcessWriteBuffers") returned 0x772d1f80 [0148.907] GetProcAddress (hModule=0x77160000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x7734ec60 [0148.907] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentProcessorNumber") returned 0x772d0040 [0148.907] GetProcAddress (hModule=0x77160000, lpProcName="CreateSymbolicLinkW") returned 0x771d5af0 [0148.907] GetProcAddress (hModule=0x77160000, lpProcName="GetCurrentPackageId") returned 0x0 [0148.907] GetProcAddress (hModule=0x77160000, lpProcName="GetTickCount64") returned 0x77168ac0 [0148.907] GetProcAddress (hModule=0x77160000, lpProcName="GetFileInformationByHandleEx") returned 0x771712f0 [0148.907] GetProcAddress (hModule=0x77160000, lpProcName="SetFileInformationByHandle") returned 0x771ac120 [0148.908] GetProcAddress (hModule=0x77160000, lpProcName="GetSystemTimePreciseAsFileTime") returned 0x0 [0148.908] GetProcAddress (hModule=0x77160000, lpProcName="InitializeConditionVariable") returned 0x772b84f0 [0148.908] GetProcAddress (hModule=0x77160000, lpProcName="WakeConditionVariable") returned 0x7733bab0 [0148.908] GetProcAddress (hModule=0x77160000, lpProcName="WakeAllConditionVariable") returned 0x772a00b0 [0148.908] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableCS") returned 0x771ab610 [0148.908] GetProcAddress (hModule=0x77160000, lpProcName="InitializeSRWLock") returned 0x772b84f0 [0148.908] GetProcAddress (hModule=0x77160000, lpProcName="AcquireSRWLockExclusive") returned 0x772a8020 [0148.908] GetProcAddress (hModule=0x77160000, lpProcName="TryAcquireSRWLockExclusive") returned 0x7732bdd0 [0148.908] GetProcAddress (hModule=0x77160000, lpProcName="ReleaseSRWLockExclusive") returned 0x772a8050 [0148.908] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableSRW") returned 0x771ab5c0 [0148.909] GetProcAddress (hModule=0x77160000, lpProcName="CreateThreadpoolWork") returned 0x77165d30 [0148.909] GetProcAddress (hModule=0x77160000, lpProcName="SubmitThreadpoolWork") returned 0x77292330 [0148.909] GetProcAddress (hModule=0x77160000, lpProcName="CloseThreadpoolWork") returned 0x772921f0 [0148.909] GetProcAddress (hModule=0x77160000, lpProcName="CompareStringEx") returned 0x771abd60 [0148.909] GetProcAddress (hModule=0x77160000, lpProcName="GetLocaleInfoEx") returned 0x771635e0 [0148.909] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0148.909] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77160000 [0148.909] GetProcAddress (hModule=0x77160000, lpProcName="InitializeConditionVariable") returned 0x772b84f0 [0148.909] GetProcAddress (hModule=0x77160000, lpProcName="SleepConditionVariableCS") returned 0x771ab610 [0148.910] GetProcAddress (hModule=0x77160000, lpProcName="WakeAllConditionVariable") returned 0x772a00b0 [0148.910] RtlInitializeConditionVariable () returned 0x772a00b0 [0148.925] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x1000) returned 0x1d41c0 [0148.947] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x1e58fb0, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0148.947] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0xe6) returned 0x1c2f00 [0148.947] GetEnvironmentStringsW () returned 0x1d51d0* [0148.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1433, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1433 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x599) returned 0x1d5d10 [0148.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1433, lpMultiByteStr=0x1d5d10, cbMultiByte=1433, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1433 [0148.948] FreeEnvironmentStringsW (penv=0x1d51d0) returned 1 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x128) returned 0x1d51d0 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x1f) returned 0x1c5ca0 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x2b) returned 0x1d3770 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x31) returned 0x1d37b0 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x3c) returned 0x1d00e0 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x31) returned 0x1d37f0 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x18) returned 0x1d5300 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x24) returned 0x1c5cd0 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x14) returned 0x1d5320 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0xd) returned 0x1d5340 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x1a) returned 0x1c5d00 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x2e) returned 0x1d3830 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x19) returned 0x1c5d30 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x17) returned 0x1d5360 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0xe) returned 0x1d5380 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0xce) returned 0x1d53a0 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x3e) returned 0x1d0130 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x1d) returned 0x1c5d60 [0148.948] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x48) returned 0x1d0180 [0148.949] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x12) returned 0x1d5480 [0148.949] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x18) returned 0x1d54a0 [0148.949] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x1b) returned 0x1c5d90 [0148.949] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x1e) returned 0x1c5dc0 [0148.949] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x29) returned 0x1d3870 [0148.949] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x1e) returned 0x1c5df0 [0148.949] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x6b) returned 0x1cbde0 [0148.949] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x17) returned 0x1d54c0 [0148.949] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0xf) returned 0x1d54e0 [0148.949] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x16) returned 0x1d5500 [0148.949] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x2a) returned 0x1d38b0 [0148.949] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x29) returned 0x1d38f0 [0148.949] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x16) returned 0x1d5520 [0148.949] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x13) returned 0x1d62f0 [0148.949] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x1f) returned 0x1c5e20 [0148.949] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x12) returned 0x1d6310 [0148.949] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x18) returned 0x1d6330 [0148.949] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x46) returned 0x1d01d0 [0148.950] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d5d10 | out: hHeap=0x1a0000) returned 1 [0149.039] GetCurrentThread () returned 0xfffffffffffffffe [0149.039] GetThreadTimes (in: hThread=0xfffffffffffffffe, lpCreationTime=0x14ef18, lpExitTime=0x14ef10, lpKernelTime=0x14ef10, lpUserTime=0x14ef10 | out: lpCreationTime=0x14ef18, lpExitTime=0x14ef10, lpKernelTime=0x14ef10, lpUserTime=0x14ef10) returned 1 [0149.039] RtlInitializeSListHead (in: ListHead=0x1e58aa0 | out: ListHead=0x1e58aa0) [0149.177] RtlPcToFileHeader (in: PcValue=0x1e3fef8, BaseOfImage=0x14ee40 | out: BaseOfImage=0x14ee40*=0x1d10000) returned 0x1d10000 [0149.574] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x50) returned 0x1d6ac0 [0149.575] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x98 [0149.575] RtlWakeAllConditionVariable () returned 0x772a00b0 [0149.594] RtlWakeAllConditionVariable () returned 0x772a00b0 [0149.595] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0x14ed90 | out: lpWSAData=0x14ed90) returned 0 [0149.654] RtlWakeAllConditionVariable () returned 0x772a00b0 [0149.655] RtlWakeAllConditionVariable () returned 0x772a00b0 [0149.680] RtlSizeHeap (HeapHandle=0x1a0000, Flags=0x0, MemoryPointer=0x1d40b0) returned 0x100 [0149.680] RtlReAllocateHeap (Heap=0x1a0000, Flags=0x0, Ptr=0x1d40b0, Size=0x200) returned 0x1d5540 [0149.792] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77280000 [0149.792] GetProcAddress (hModule=0x77280000, lpProcName="NtCreateThreadEx") returned 0x772d1d90 [0149.792] GetProcAddress (hModule=0x77280000, lpProcName="RtlNewSecurityObjectWithMultipleInheritance") returned 0x77364540 [0149.792] GetCurrentProcess () returned 0xffffffffffffffff [0149.793] NtCreateThreadEx (in: ThreadHandle=0x1e59890, DesiredAccess=0x1fffff, ObjectAttributes=0x0, ProcessHandle=0xffffffffffffffff, lpStartAddress=0x77364540, lpParameter=0x0, CreateSuspended=1, StackZeroBits=0x0, SizeOfStackCommit=0x0, SizeOfStackReserve=0x0, lpBytesBuffer=0x0 | out: ThreadHandle=0x1e59890*=0xb0, lpBytesBuffer=0x0) returned 0x0 [0149.793] GetThreadContext (in: hThread=0xb0, lpContext=0x14eac0 | out: lpContext=0x14eac0*(P1Home=0x1d6ec0, P2Home=0x30, P3Home=0x10, P4Home=0x7fefd4d30f5, P5Home=0x21, P6Home=0x0, ContextFlags=0x10000b, MxCsr=0x1f80, SegCs=0x33, SegDs=0x1d, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x200, Dr0=0x0, Dr1=0x1d40b0, Dr2=0x772d3488, Dr3=0x1a0230, Dr6=0x1a0388, Dr7=0xe00fa0001, Rax=0x0, Rcx=0x77364540, Rdx=0x0, Rbx=0x0, Rsp=0x247fa98, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x772ac500, FltSave.ControlWord=0x27f, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x1f80, FltSave.MxCsr_Mask=0xffff, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x27f, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0x1d40b0, VectorRegister.High=0x1d40b0, VectorControl=0x0, DebugControl=0x1d97129, LastBranchToRip=0x0, LastBranchFromRip=0x14f478, LastExceptionToRip=0x0, LastExceptionFromRip=0x1)) returned 1 [0149.848] SetThreadContext (hThread=0xb0, lpContext=0x14eac0*(P1Home=0x1d6ec0, P2Home=0x30, P3Home=0x10, P4Home=0x7fefd4d30f5, P5Home=0x21, P6Home=0x0, ContextFlags=0x10000b, MxCsr=0x1f80, SegCs=0x33, SegDs=0x1d, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x200, Dr0=0x0, Dr1=0x1d40b0, Dr2=0x772d3488, Dr3=0x1a0230, Dr6=0x1a0388, Dr7=0xe00fa0001, Rax=0x0, Rcx=0x1d2365c, Rdx=0x0, Rbx=0x0, Rsp=0x247fa98, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x772ac500, FltSave.ControlWord=0x27f, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x1f80, FltSave.MxCsr_Mask=0xffff, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x27f, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0x1d40b0, VectorRegister.High=0x1d40b0, VectorControl=0x0, DebugControl=0x1d97129, LastBranchToRip=0x0, LastBranchFromRip=0x14f478, LastExceptionToRip=0x0, LastExceptionFromRip=0x1)) returned 1 [0149.848] ResumeThread (hThread=0xb0) returned 0x1 [0149.849] GetProcAddress (hModule=0x1d10000, lpProcName="setPath") returned 0x1d24604 [0149.849] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x70) returned 0x1cbe60 [0149.849] SetEvent (hEvent=0x98) returned 1 [0149.872] WaitForSingleObject (hHandle=0xb0, dwMilliseconds=0xffffffff) returned 0x0 [0152.160] RtlExitUserProcess (ExitCode=0x0) [0152.163] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1bcfd0 | out: hHeap=0x1a0000) returned 1 [0152.164] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d1aa0 | out: hHeap=0x1a0000) returned 1 [0152.178] WSACleanup () returned 0 [0152.271] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1cbe60 | out: hHeap=0x1a0000) returned 1 [0152.271] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6ac0 | out: hHeap=0x1a0000) returned 1 [0152.286] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d9680 | out: hHeap=0x1a0000) returned 1 [0152.286] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d83f0 | out: hHeap=0x1a0000) returned 1 [0152.286] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6370 | out: hHeap=0x1a0000) returned 1 [0152.286] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d61b0 | out: hHeap=0x1a0000) returned 1 [0152.286] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d3e30 | out: hHeap=0x1a0000) returned 1 [0152.300] RtlInterlockedFlushSList (in: ListHead=0x1e58410 | out: ListHead=0x1e58410) returned 0x0 [0152.300] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d5540 | out: hHeap=0x1a0000) returned 1 [0152.301] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d41c0 | out: hHeap=0x1a0000) returned 1 [0152.301] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0152.302] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1f4eb0 | out: hHeap=0x1a0000) returned 1 [0152.302] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x202fe0 | out: hHeap=0x1a0000) returned 1 [0152.302] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d61d0 | out: hHeap=0x1a0000) returned 1 [0152.302] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d93c0 | out: hHeap=0x1a0000) returned 1 [0152.303] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x206c40 | out: hHeap=0x1a0000) returned 1 [0152.303] GetProcAddress (hModule=0x77160000, lpProcName="FlsFree") returned 0x77170a50 [0152.303] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1cbfe0 | out: hHeap=0x1a0000) returned 1 [0152.304] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1cc060 | out: hHeap=0x1a0000) returned 1 [0152.304] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1cc0e0 | out: hHeap=0x1a0000) returned 1 [0152.304] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5ca0 | out: hHeap=0x1a0000) returned 1 [0152.304] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d3770 | out: hHeap=0x1a0000) returned 1 [0152.305] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d37b0 | out: hHeap=0x1a0000) returned 1 [0152.305] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d00e0 | out: hHeap=0x1a0000) returned 1 [0152.305] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d37f0 | out: hHeap=0x1a0000) returned 1 [0152.306] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d5300 | out: hHeap=0x1a0000) returned 1 [0152.306] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5cd0 | out: hHeap=0x1a0000) returned 1 [0152.361] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d5320 | out: hHeap=0x1a0000) returned 1 [0152.361] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d5340 | out: hHeap=0x1a0000) returned 1 [0152.361] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5d00 | out: hHeap=0x1a0000) returned 1 [0152.362] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d3830 | out: hHeap=0x1a0000) returned 1 [0152.362] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5d30 | out: hHeap=0x1a0000) returned 1 [0152.362] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d5360 | out: hHeap=0x1a0000) returned 1 [0152.362] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d5380 | out: hHeap=0x1a0000) returned 1 [0152.363] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d53a0 | out: hHeap=0x1a0000) returned 1 [0152.364] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0130 | out: hHeap=0x1a0000) returned 1 [0152.365] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5d60 | out: hHeap=0x1a0000) returned 1 [0152.365] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0180 | out: hHeap=0x1a0000) returned 1 [0152.366] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d5480 | out: hHeap=0x1a0000) returned 1 [0152.366] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d54a0 | out: hHeap=0x1a0000) returned 1 [0152.366] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5d90 | out: hHeap=0x1a0000) returned 1 [0152.366] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5dc0 | out: hHeap=0x1a0000) returned 1 [0152.367] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d3870 | out: hHeap=0x1a0000) returned 1 [0152.367] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5df0 | out: hHeap=0x1a0000) returned 1 [0152.369] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1cbde0 | out: hHeap=0x1a0000) returned 1 [0152.369] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d54c0 | out: hHeap=0x1a0000) returned 1 [0152.370] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d54e0 | out: hHeap=0x1a0000) returned 1 [0152.370] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d5500 | out: hHeap=0x1a0000) returned 1 [0152.371] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d38b0 | out: hHeap=0x1a0000) returned 1 [0152.372] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d38f0 | out: hHeap=0x1a0000) returned 1 [0152.372] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d5520 | out: hHeap=0x1a0000) returned 1 [0152.372] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d62f0 | out: hHeap=0x1a0000) returned 1 [0152.372] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5e20 | out: hHeap=0x1a0000) returned 1 [0152.372] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6310 | out: hHeap=0x1a0000) returned 1 [0152.372] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6330 | out: hHeap=0x1a0000) returned 1 [0152.373] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d01d0 | out: hHeap=0x1a0000) returned 1 [0152.373] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d51d0 | out: hHeap=0x1a0000) returned 1 [0152.373] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d3e80 | out: hHeap=0x1a0000) returned 1 [0152.374] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c2f00 | out: hHeap=0x1a0000) returned 1 [0152.377] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d1e70 | out: hHeap=0x1a0000) returned 1 [0152.377] FreeLibrary (hLibModule=0x7fefa010000) returned 1 [0152.377] FreeLibrary (hLibModule=0x77160000) returned 1 [0152.377] FreeLibrary (hLibModule=0x7fefa010000) returned 1 [0152.377] FreeLibrary (hLibModule=0x77160000) returned 1 Thread: id = 202 os_tid = 0xcac [0149.874] GetLastError () returned 0x57 [0149.874] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0149.874] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x78) returned 0x1cbee0 [0149.874] SetLastError (dwErrCode=0x57) [0149.874] GetLastError () returned 0x57 [0149.874] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x3c8) returned 0x1d5b70 [0149.874] SetLastError (dwErrCode=0x57) [0149.899] LoadLibraryExW (lpLibFileName="api-ms-win-core-sysinfo-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0149.899] GetLastError () returned 0x7e [0149.899] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x247f520 | out: lpSystemTimeAsFileTime=0x247f520*(dwLowDateTime=0x48e77c20, dwHighDateTime=0x1d937fd)) [0149.899] GetLastError () returned 0x7e [0149.899] SetLastError (dwErrCode=0x7e) [0149.899] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) returned 0x0 [0149.899] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x70) returned 0x1cbf60 [0149.969] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x260) returned 0x1d5f40 [0150.072] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.073] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x38) returned 0x1d3e30 [0150.099] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x2) returned 0x1d61b0 [0150.099] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d61b0 | out: hHeap=0x1a0000) returned 1 [0150.099] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x2) returned 0x1d61b0 [0150.099] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x30) returned 0x1d83f0 [0150.122] GetLastError () returned 0x7e [0150.122] SetLastError (dwErrCode=0x7e) [0150.122] GetLastError () returned 0x7e [0150.123] SetLastError (dwErrCode=0x7e) [0150.148] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x158) returned 0x1d93c0 [0150.148] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x6a6) returned 0x1d9520 [0150.149] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d9520 | out: hHeap=0x1a0000) returned 1 [0150.149] GetLastError () returned 0x7e [0150.149] SetLastError (dwErrCode=0x7e) [0150.151] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x6) returned 0x1d61d0 [0150.152] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x2) returned 0x1d61f0 [0150.202] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x4) returned 0x1d6210 [0150.202] GetLastError () returned 0x7e [0150.202] SetLastError (dwErrCode=0x7e) [0150.202] GetLastError () returned 0x7e [0150.202] SetLastError (dwErrCode=0x7e) [0150.202] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x158) returned 0x1d9520 [0150.202] GetLastError () returned 0x7e [0150.202] SetLastError (dwErrCode=0x7e) [0150.202] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x6a6) returned 0x1d9680 [0150.204] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d9680 | out: hHeap=0x1a0000) returned 1 [0150.204] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d61d0 | out: hHeap=0x1a0000) returned 1 [0150.205] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d93c0 | out: hHeap=0x1a0000) returned 1 [0150.205] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6210 | out: hHeap=0x1a0000) returned 1 [0150.205] GetLastError () returned 0x7e [0150.205] SetLastError (dwErrCode=0x7e) [0150.205] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x6) returned 0x1d61d0 [0150.205] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x2) returned 0x1d6210 [0150.205] GetLastError () returned 0x7e [0150.205] SetLastError (dwErrCode=0x7e) [0150.205] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x200) returned 0x1d9680 [0150.205] GetLastError () returned 0x7e [0150.205] SetLastError (dwErrCode=0x7e) [0150.205] GetLastError () returned 0x7e [0150.205] SetLastError (dwErrCode=0x7e) [0150.205] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x4) returned 0x1d6230 [0150.205] GetLastError () returned 0x7e [0150.205] SetLastError (dwErrCode=0x7e) [0150.205] GetLastError () returned 0x7e [0150.206] SetLastError (dwErrCode=0x7e) [0150.206] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x158) returned 0x1d93c0 [0150.206] GetLastError () returned 0x7e [0150.206] SetLastError (dwErrCode=0x7e) [0150.206] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x6a6) returned 0x1d9890 [0150.206] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d9890 | out: hHeap=0x1a0000) returned 1 [0150.206] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d61d0 | out: hHeap=0x1a0000) returned 1 [0150.207] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d9520 | out: hHeap=0x1a0000) returned 1 [0150.207] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6230 | out: hHeap=0x1a0000) returned 1 [0150.207] GetLastError () returned 0x7e [0150.208] SetLastError (dwErrCode=0x7e) [0150.208] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x6) returned 0x1d61d0 [0150.208] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6210 | out: hHeap=0x1a0000) returned 1 [0150.208] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d61f0 | out: hHeap=0x1a0000) returned 1 [0150.208] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6370 [0150.208] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.208] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x25a) returned 0x1d9890 [0150.232] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.258] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5ee0 [0150.258] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5f10 [0150.258] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.258] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5ee0 | out: hHeap=0x1a0000) returned 1 [0150.258] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5ee0 [0150.258] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x60) returned 0x1cd600 [0150.259] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.259] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x80) returned 0x1d61f0 [0150.259] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1cd600 | out: hHeap=0x1a0000) returned 1 [0150.260] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5f40 [0150.260] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0xc0) returned 0x1d40b0 [0150.260] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d61f0 | out: hHeap=0x1a0000) returned 1 [0150.260] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5f70 [0150.260] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5fa0 [0150.260] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x120) returned 0x1d9520 [0150.260] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d40b0 | out: hHeap=0x1a0000) returned 1 [0150.260] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5fd0 [0150.261] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c6000 [0150.261] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x1a0) returned 0x1d9b00 [0150.261] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d9520 | out: hHeap=0x1a0000) returned 1 [0150.261] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c6030 [0150.261] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c6060 [0150.261] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c6090 [0150.261] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c60c0 [0150.261] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x260) returned 0x1d9cb0 [0150.262] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d9b00 | out: hHeap=0x1a0000) returned 1 [0150.262] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c60f0 [0150.262] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c6120 [0150.262] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c6150 [0150.262] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c6180 [0150.262] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1d9f50 [0150.263] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1d9f80 [0150.263] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x380) returned 0x1dab20 [0150.264] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d9cb0 | out: hHeap=0x1a0000) returned 1 [0150.264] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1d9fb0 [0150.264] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1d9fe0 [0150.264] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1da010 [0150.264] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1da040 [0150.264] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1da070 [0150.264] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1da0a0 [0150.264] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1da0d0 [0150.264] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1da100 [0150.264] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1da130 [0150.264] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x540) returned 0x1daeb0 [0150.265] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1dab20 | out: hHeap=0x1a0000) returned 1 [0150.265] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1da160 [0150.265] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1da190 [0150.265] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1da1c0 [0150.265] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1da1f0 [0150.265] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1da220 [0150.266] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.267] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d9890 | out: hHeap=0x1a0000) returned 1 [0150.267] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.267] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.267] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.267] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.267] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x12) returned 0x1d63b0 [0150.267] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.268] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.268] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.268] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.268] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.268] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.268] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0270 [0150.269] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.269] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.269] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.269] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x11) returned 0x1d63b0 [0150.269] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.269] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.270] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.270] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.270] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.270] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.270] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x80) returned 0x1d61f0 [0150.271] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0270 | out: hHeap=0x1a0000) returned 1 [0150.272] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.272] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.272] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.272] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0xf) returned 0x1d63b0 [0150.272] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.272] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.273] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.273] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.273] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.273] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.273] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0xc0) returned 0x1d40b0 [0150.274] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d61f0 | out: hHeap=0x1a0000) returned 1 [0150.274] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.274] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.274] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.274] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d63b0 [0150.274] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.274] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.275] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.276] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.276] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.276] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.276] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x100) returned 0x1d9520 [0150.276] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d40b0 | out: hHeap=0x1a0000) returned 1 [0150.276] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.276] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.276] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.276] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x13) returned 0x1d63b0 [0150.276] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.277] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.277] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.277] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.277] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.277] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.277] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x180) returned 0x1dab20 [0150.278] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d9520 | out: hHeap=0x1a0000) returned 1 [0150.278] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.278] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.278] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.279] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x12) returned 0x1d63b0 [0150.279] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.279] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.279] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.279] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.280] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.280] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.280] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.281] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.281] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.281] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d63b0 [0150.281] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.281] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.282] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.282] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.282] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.282] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.282] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x240) returned 0x1d9890 [0150.283] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1dab20 | out: hHeap=0x1a0000) returned 1 [0150.284] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.284] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.284] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.285] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0xe) returned 0x1d63b0 [0150.285] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.285] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.285] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.286] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.286] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.286] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.287] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.287] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.287] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.287] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x12) returned 0x1d63b0 [0150.287] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.287] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.288] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.288] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.288] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.288] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.288] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.288] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.289] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.289] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x11) returned 0x1d63b0 [0150.289] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.289] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.289] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.289] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.289] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.290] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.290] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x340) returned 0x1dab20 [0150.290] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d9890 | out: hHeap=0x1a0000) returned 1 [0150.291] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.291] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.291] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.291] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x13) returned 0x1d63b0 [0150.291] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.291] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.292] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.294] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.294] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.294] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.295] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.295] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.295] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.296] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x12) returned 0x1d63b0 [0150.296] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.296] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.296] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.296] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.296] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.296] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.297] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.297] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.297] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.297] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x13) returned 0x1d63b0 [0150.298] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.298] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.298] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.298] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.298] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.298] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.299] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.299] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.299] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.299] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x12) returned 0x1d63b0 [0150.299] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.299] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.300] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.300] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.300] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.300] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.300] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x4c0) returned 0x1d9890 [0150.301] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1dab20 | out: hHeap=0x1a0000) returned 1 [0150.301] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.301] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.301] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.302] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x11) returned 0x1d63b0 [0150.302] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.302] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.302] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.302] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.302] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.302] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.303] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.303] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.304] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.304] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x12) returned 0x1d63b0 [0150.304] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.304] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.305] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.306] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.306] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.306] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.306] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.307] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.307] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.307] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d63b0 [0150.307] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.307] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.308] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.308] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.308] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.308] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.309] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.309] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.309] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.310] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d63b0 [0150.310] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.310] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.310] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.310] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.310] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.310] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.311] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.311] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.311] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.311] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x11) returned 0x1d63b0 [0150.311] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.311] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.312] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.312] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.312] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.312] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.313] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.313] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.313] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.313] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x11) returned 0x1d63b0 [0150.313] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.314] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.314] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.314] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.314] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.314] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.314] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x700) returned 0x1db400 [0150.315] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d9890 | out: hHeap=0x1a0000) returned 1 [0150.316] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.316] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.316] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.316] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x12) returned 0x1d63b0 [0150.317] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.317] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.317] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.317] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.317] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.317] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.318] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.318] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.318] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.318] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x11) returned 0x1d63b0 [0150.318] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.319] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.319] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.319] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.319] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.319] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.320] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.320] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.320] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.320] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x11) returned 0x1d63b0 [0150.320] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.321] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.321] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.321] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.321] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.321] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.322] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.322] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.322] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.322] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x12) returned 0x1d63b0 [0150.322] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.323] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.323] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.323] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.323] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.324] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.324] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.324] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.324] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.324] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x11) returned 0x1d63b0 [0150.324] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.324] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.325] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.325] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.325] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.325] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.325] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.326] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.326] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.326] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d63b0 [0150.326] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.326] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.326] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.326] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.326] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.326] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.327] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.327] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.327] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.327] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x12) returned 0x1d63b0 [0150.327] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.327] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.328] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.328] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.328] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.328] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.328] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.329] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.329] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.329] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x11) returned 0x1d63b0 [0150.329] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.329] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.330] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.330] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.330] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.330] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.330] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.330] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.330] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.330] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x13) returned 0x1d63b0 [0150.330] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.331] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.331] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.331] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.331] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.331] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.331] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0xa80) returned 0x1dbb10 [0150.332] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1db400 | out: hHeap=0x1a0000) returned 1 [0150.332] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.332] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.333] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.333] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d63b0 [0150.333] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.333] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.333] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.334] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.334] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.334] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.334] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.334] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.334] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.334] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x11) returned 0x1d63b0 [0150.334] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.334] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.335] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.335] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.335] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.335] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.336] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.336] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.336] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.336] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x13) returned 0x1d63b0 [0150.336] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.336] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.337] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.337] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.337] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.337] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.337] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.337] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6350 [0150.337] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x10) returned 0x1d6390 [0150.337] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x12) returned 0x1d63b0 [0150.337] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1c5eb0 [0150.337] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x40) returned 0x1d0220 [0150.338] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5eb0 | out: hHeap=0x1a0000) returned 1 [0150.338] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d63b0 | out: hHeap=0x1a0000) returned 1 [0150.338] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6390 | out: hHeap=0x1a0000) returned 1 [0150.338] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6350 | out: hHeap=0x1a0000) returned 1 [0150.338] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d0220 | out: hHeap=0x1a0000) returned 1 [0150.338] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5f10 | out: hHeap=0x1a0000) returned 1 [0150.339] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5ee0 | out: hHeap=0x1a0000) returned 1 [0150.339] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5f40 | out: hHeap=0x1a0000) returned 1 [0150.340] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5f70 | out: hHeap=0x1a0000) returned 1 [0150.340] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5fa0 | out: hHeap=0x1a0000) returned 1 [0150.340] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c5fd0 | out: hHeap=0x1a0000) returned 1 [0150.340] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c6000 | out: hHeap=0x1a0000) returned 1 [0150.341] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c6030 | out: hHeap=0x1a0000) returned 1 [0150.341] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c6060 | out: hHeap=0x1a0000) returned 1 [0150.342] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c6090 | out: hHeap=0x1a0000) returned 1 [0150.342] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c60c0 | out: hHeap=0x1a0000) returned 1 [0150.342] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c60f0 | out: hHeap=0x1a0000) returned 1 [0150.343] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c6120 | out: hHeap=0x1a0000) returned 1 [0150.343] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c6150 | out: hHeap=0x1a0000) returned 1 [0150.344] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1c6180 | out: hHeap=0x1a0000) returned 1 [0150.345] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d9f50 | out: hHeap=0x1a0000) returned 1 [0150.345] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d9f80 | out: hHeap=0x1a0000) returned 1 [0150.346] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d9fb0 | out: hHeap=0x1a0000) returned 1 [0150.347] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d9fe0 | out: hHeap=0x1a0000) returned 1 [0150.347] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1da010 | out: hHeap=0x1a0000) returned 1 [0150.347] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1da040 | out: hHeap=0x1a0000) returned 1 [0150.347] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1da070 | out: hHeap=0x1a0000) returned 1 [0150.348] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1da0a0 | out: hHeap=0x1a0000) returned 1 [0150.348] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1da0d0 | out: hHeap=0x1a0000) returned 1 [0150.348] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1da100 | out: hHeap=0x1a0000) returned 1 [0150.349] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1da130 | out: hHeap=0x1a0000) returned 1 [0150.350] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1da160 | out: hHeap=0x1a0000) returned 1 [0150.350] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1da190 | out: hHeap=0x1a0000) returned 1 [0150.351] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1da1c0 | out: hHeap=0x1a0000) returned 1 [0150.351] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1da1f0 | out: hHeap=0x1a0000) returned 1 [0150.352] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1da220 | out: hHeap=0x1a0000) returned 1 [0150.353] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1daeb0 | out: hHeap=0x1a0000) returned 1 [0150.353] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d5f40 | out: hHeap=0x1a0000) returned 1 [0150.354] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0150.367] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0151.094] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77280000 [0151.094] GetProcAddress (hModule=0x77280000, lpProcName="ZwAllocateVirtualMemory") returned 0x772d1490 [0151.094] GetProcAddress (hModule=0x77280000, lpProcName="ZwWriteVirtualMemory") returned 0x772d16b0 [0151.094] GetProcAddress (hModule=0x77280000, lpProcName="ZwReadVirtualMemory") returned 0x772d1700 [0151.094] GetProcAddress (hModule=0x77280000, lpProcName="ZwGetContextThread") returned 0x772d1fe0 [0151.094] GetProcAddress (hModule=0x77280000, lpProcName="ZwSetContextThread") returned 0x772d2840 [0151.107] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x30) returned 0x1e8020 [0151.120] CoCreateInstance (in: rclsid=0x1df57e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1df57f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x247f3d0 | out: ppv=0x247f3d0*=0x1d66d0) returned 0x0 [0151.142] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d66d0, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x247f3c8 | out: ppNamespace=0x247f3c8*=0x203690) returned 0x0 [0151.229] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x7fefd730000 [0151.230] GetProcAddress (hModule=0x7fefd730000, lpProcName="CoSetProxyBlanket") returned 0x7fefd76bf00 [0151.230] CoSetProxyBlanket (pProxy=0x203690, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0151.230] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x18) returned 0x1d69d0 [0151.230] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e8020, cbMultiByte=35, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 35 [0151.230] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e8020, cbMultiByte=35, lpWideCharStr=0x247f2c0, cchWideChar=35 | out: lpWideCharStr="SELECT * FROM Win32_ComputerSystem") returned 35 [0151.230] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x18) returned 0x1d69f0 [0151.230] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e0b258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0151.230] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e0b258, cbMultiByte=4, lpWideCharStr=0x247f300, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0151.231] IWbemServices:ExecQuery (in: This=0x203690, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystem", lFlags=48, pCtx=0x0, ppEnum=0x247f3d8 | out: ppEnum=0x247f3d8*=0x20a650) returned 0x0 [0151.238] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d69f0 | out: hHeap=0x1a0000) returned 1 [0151.238] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d69d0 | out: hHeap=0x1a0000) returned 1 [0151.238] IEnumWbemClassObject:Next (in: This=0x20a650, lTimeout=-1, uCount=0x1, apObjects=0x247f3e0, puReturned=0x247f4f8 | out: apObjects=0x247f3e0*=0x20e460, puReturned=0x247f4f8*=0x1) returned 0x0 [0151.259] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x247f530, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0151.259] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x247f530, cbMultiByte=4, lpWideCharStr=0x247f2f8, cchWideChar=4 | out: lpWideCharStr="Name") returned 4 [0151.318] IWbemClassObject:Get (in: This=0x20e460, wszName="Name", lFlags=0, pVal=0x247f480*(varType=0x0, wReserved1=0x1e, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x247f480*(varType=0x8, wReserved1=0x1e, wReserved2=0x0, wReserved3=0x0, varVal1="Q9IATRKPRH", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0151.318] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x20) returned 0x1ebd00 [0151.318] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Q9IATRKPRH", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0151.318] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Q9IATRKPRH", cchWideChar=10, lpMultiByteStr=0x247f318, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Q9IATRKPRH", lpUsedDefaultChar=0x0) returned 10 [0151.319] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1ebd00 | out: hHeap=0x1a0000) returned 1 [0151.319] IUnknown:Release (This=0x20e460) returned 0x0 [0151.319] WbemLocator:IUnknown:Release (This=0x203690) returned 0x0 [0151.384] WbemLocator:IUnknown:Release (This=0x1d66d0) returned 0x0 [0151.384] IUnknown:Release (This=0x20a650) returned 0x0 [0151.385] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1e8020 | out: hHeap=0x1a0000) returned 1 [0151.385] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x30) returned 0x1e8020 [0151.385] CoCreateInstance (in: rclsid=0x1df57e8*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x1df57f8*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x247f3d0 | out: ppv=0x247f3d0*=0x1d69f0) returned 0x0 [0151.385] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d69f0, strNetworkResource="", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x247f3c8 | out: ppNamespace=0x247f3c8*=0x203690) returned 0x0 [0151.417] CoSetProxyBlanket (pProxy=0x203690, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0151.417] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x18) returned 0x1d6a50 [0151.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e8020, cbMultiByte=42, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 42 [0151.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e8020, cbMultiByte=42, lpWideCharStr=0x247f2b0, cchWideChar=42 | out: lpWideCharStr="SELECT * FROM Win32_ComputerSystemProduct") returned 42 [0151.417] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x18) returned 0x1d66d0 [0151.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e0b258, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0151.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1e0b258, cbMultiByte=4, lpWideCharStr=0x247f300, cchWideChar=4 | out: lpWideCharStr="WQL") returned 4 [0151.417] IWbemServices:ExecQuery (in: This=0x203690, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ComputerSystemProduct", lFlags=48, pCtx=0x0, ppEnum=0x247f3d8 | out: ppEnum=0x247f3d8*=0x20a650) returned 0x0 [0151.431] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d66d0 | out: hHeap=0x1a0000) returned 1 [0151.431] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d6a50 | out: hHeap=0x1a0000) returned 1 [0151.431] IEnumWbemClassObject:Next (in: This=0x20a650, lTimeout=-1, uCount=0x1, apObjects=0x247f3e0, puReturned=0x247f4f8 | out: apObjects=0x247f3e0*=0x20c3d0, puReturned=0x247f4f8*=0x1) returned 0x0 [0151.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x247f530, cbMultiByte=4, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 4 [0151.452] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x247f530, cbMultiByte=4, lpWideCharStr=0x247f2f8, cchWideChar=4 | out: lpWideCharStr="UUID") returned 4 [0151.452] IWbemClassObject:Get (in: This=0x20c3d0, wszName="UUID", lFlags=0, pVal=0x247f480*(varType=0x0, wReserved1=0x1e, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x247f480*(varType=0x8, wReserved1=0x1e, wReserved2=0x0, wReserved3=0x0, varVal1="4C4C4544-0050-3710-8058-CAC04F59344A", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0151.452] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x50) returned 0x1e7700 [0151.452] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4C4C4544-0050-3710-8058-CAC04F59344A", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0151.452] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x30) returned 0x1fdd90 [0151.452] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4C4C4544-0050-3710-8058-CAC04F59344A", cchWideChar=36, lpMultiByteStr=0x1fdd90, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="4C4C4544-0050-3710-8058-CAC04F59344A", lpUsedDefaultChar=0x0) returned 36 [0151.453] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1e7700 | out: hHeap=0x1a0000) returned 1 [0151.453] IUnknown:Release (This=0x20c3d0) returned 0x0 [0151.453] WbemLocator:IUnknown:Release (This=0x203690) returned 0x0 [0151.455] WbemLocator:IUnknown:Release (This=0x1d69f0) returned 0x0 [0151.455] IUnknown:Release (This=0x20a650) returned 0x0 [0151.458] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1e8020 | out: hHeap=0x1a0000) returned 1 [0151.458] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x30) returned 0x1e8020 [0151.543] GetLastError () returned 0x0 [0151.543] SetLastError (dwErrCode=0x0) [0151.641] GetLastError () returned 0x0 [0151.641] SetLastError (dwErrCode=0x0) [0151.641] GetLastError () returned 0x0 [0151.641] SetLastError (dwErrCode=0x0) [0151.641] GetLastError () returned 0x0 [0151.641] SetLastError (dwErrCode=0x0) [0151.641] GetLastError () returned 0x0 [0151.641] SetLastError (dwErrCode=0x0) [0151.641] GetLastError () returned 0x0 [0151.641] SetLastError (dwErrCode=0x0) [0151.641] GetLastError () returned 0x0 [0151.641] SetLastError (dwErrCode=0x0) [0151.641] GetLastError () returned 0x0 [0151.641] SetLastError (dwErrCode=0x0) [0151.641] GetLastError () returned 0x0 [0151.641] SetLastError (dwErrCode=0x0) [0151.641] GetLastError () returned 0x0 [0151.641] SetLastError (dwErrCode=0x0) [0151.641] GetLastError () returned 0x0 [0151.641] SetLastError (dwErrCode=0x0) [0151.641] GetLastError () returned 0x0 [0151.642] SetLastError (dwErrCode=0x0) [0151.642] GetLastError () returned 0x0 [0151.642] SetLastError (dwErrCode=0x0) [0151.642] GetLastError () returned 0x0 [0151.642] SetLastError (dwErrCode=0x0) [0151.642] GetLastError () returned 0x0 [0151.642] SetLastError (dwErrCode=0x0) [0151.642] GetLastError () returned 0x0 [0151.642] SetLastError (dwErrCode=0x0) [0151.642] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x30) returned 0x1fdd50 [0151.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1fdd50, cbMultiByte=32, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 32 [0151.642] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x0, Size=0x50) returned 0x1e7400 [0151.642] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1fdd50, cbMultiByte=32, lpWideCharStr=0x1e7400, cchWideChar=32 | out: lpWideCharStr="aa360b8ffe2aca5f0f5c1f9ffd6f6a58") returned 32 [0151.642] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName="aa360b8ffe2aca5f0f5c1f9ffd6f6a58") returned 0x178 [0151.642] GetLastError () returned 0xb7 [0151.642] CloseHandle (hObject=0x178) returned 1 [0151.643] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1e7400 | out: hHeap=0x1a0000) returned 1 [0151.643] CoUninitialize () [0151.774] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1fdd50 | out: hHeap=0x1a0000) returned 1 [0151.774] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1e8020 | out: hHeap=0x1a0000) returned 1 [0151.775] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1fdd90 | out: hHeap=0x1a0000) returned 1 [0151.775] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1dbb10 | out: hHeap=0x1a0000) returned 1 [0151.775] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1cbf60 | out: hHeap=0x1a0000) returned 1 [0151.776] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1cbee0 | out: hHeap=0x1a0000) returned 1 [0151.776] HeapFree (in: hHeap=0x1a0000, dwFlags=0x0, lpMem=0x1d5b70 | out: hHeap=0x1a0000) returned 1 Thread: id = 204 os_tid = 0xd08 Thread: id = 205 os_tid = 0xcfc [0151.170] GetLastError () returned 0x57 [0151.170] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x78) returned 0x1cbfe0 [0151.170] SetLastError (dwErrCode=0x57) [0151.170] GetLastError () returned 0x57 [0151.170] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x3c8) returned 0x1f4eb0 [0151.171] SetLastError (dwErrCode=0x57) Thread: id = 206 os_tid = 0xcf8 [0151.191] GetLastError () returned 0x57 [0151.191] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x78) returned 0x1cc060 [0151.191] SetLastError (dwErrCode=0x57) [0151.191] GetLastError () returned 0x57 [0151.191] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x3c8) returned 0x202fe0 [0151.191] SetLastError (dwErrCode=0x57) Thread: id = 207 os_tid = 0xcf4 [0151.192] GetLastError () returned 0x57 [0151.192] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x78) returned 0x1cc0e0 [0151.192] SetLastError (dwErrCode=0x57) [0151.192] GetLastError () returned 0x57 [0151.192] RtlAllocateHeap (HeapHandle=0x1a0000, Flags=0x8, Size=0x3c8) returned 0x206c40 [0151.192] SetLastError (dwErrCode=0x57) Process: id = "46" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x379c9000" os_pid = "0x608" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"%Temp%\\IXP000.TMP\\\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3194 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3195 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3196 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3197 start_va = 0x50000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3198 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3199 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3200 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3201 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 3202 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3203 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3204 start_va = 0x7fffffda000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 3205 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3206 start_va = 0x150000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3207 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3208 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3209 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3210 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3211 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3212 start_va = 0x150000 end_va = 0x1b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3213 start_va = 0x340000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 3214 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3215 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3216 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3217 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3218 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3219 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3220 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3221 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3222 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3223 start_va = 0x440000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 3224 start_va = 0x1c0000 end_va = 0x2bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3230 start_va = 0x2c0000 end_va = 0x2e8fff monitored = 0 entry_point = 0x2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3231 start_va = 0x440000 end_va = 0x5c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 3232 start_va = 0x600000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 3233 start_va = 0x2c0000 end_va = 0x2e8fff monitored = 0 entry_point = 0x2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3234 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3235 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3242 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3243 start_va = 0x2c0000 end_va = 0x2c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 3244 start_va = 0x610000 end_va = 0x790fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 3245 start_va = 0x7a0000 end_va = 0x1b9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 3287 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 3288 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 3289 start_va = 0x2d0000 end_va = 0x2d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3290 start_va = 0x2e0000 end_va = 0x2e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 3291 start_va = 0x2f0000 end_va = 0x2f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 3446 start_va = 0x2e0000 end_va = 0x2e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 3447 start_va = 0x2f0000 end_va = 0x2f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Thread: id = 196 os_tid = 0x7f4 [0146.406] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fb78 | out: lpSystemTimeAsFileTime=0x14fb78*(dwLowDateTime=0x475199e0, dwHighDateTime=0x1d937fd)) [0146.406] GetCurrentThreadId () returned 0x7f4 [0146.407] GetCurrentProcessId () returned 0x608 [0146.407] QueryPerformanceCounter (in: lpPerformanceCount=0x14fb80 | out: lpPerformanceCount=0x14fb80*=3330616373132) returned 1 [0146.407] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0146.411] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0146.412] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0146.413] GetLastError () returned 0x7e [0146.413] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0146.413] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0146.413] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0146.414] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0146.415] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0146.415] GetProcessHeap () returned 0x340000 [0146.416] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0146.416] GetLastError () returned 0x7e [0146.416] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0146.416] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0146.416] GetLastError () returned 0x7e [0146.416] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0146.416] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0146.416] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x3c8) returned 0x35cfd0 [0146.417] SetLastError (dwErrCode=0x7e) [0146.417] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x1200) returned 0x35d3a0 [0146.418] GetStartupInfoW (in: lpStartupInfo=0x14fa50 | out: lpStartupInfo=0x14fa50*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x14fad8, hStdError=0x1)) [0146.418] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0146.418] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0146.419] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0146.419] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"%Temp%\\IXP000.TMP\\\"" [0146.419] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"%Temp%\\IXP000.TMP\\\"" [0146.419] GetACP () returned 0x4e4 [0146.419] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x228) returned 0x35abb0 [0146.419] IsValidCodePage (CodePage=0x4e4) returned 1 [0146.420] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x14fa10 | out: lpCPInfo=0x14fa10) returned 1 [0146.420] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x14f2b0 | out: lpCPInfo=0x14f2b0) returned 1 [0146.420] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f2d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0146.420] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f2d0, cbMultiByte=256, lpWideCharStr=0x14f000, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0146.420] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x14f5d0 | out: lpCharType=0x14f5d0) returned 1 [0146.421] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f2d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0146.421] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f2d0, cbMultiByte=256, lpWideCharStr=0x14efa0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0146.421] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0146.421] GetLastError () returned 0x7e [0146.421] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0146.421] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0146.422] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x14ed90, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0146.422] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x14f3d0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ°«5", lpUsedDefaultChar=0x0) returned 256 [0146.422] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f2d0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0146.422] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f2d0, cbMultiByte=256, lpWideCharStr=0x14efa0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0146.422] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0146.422] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x14ed90, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0146.422] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x14f4d0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0146.423] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x100) returned 0x35f5b0 [0146.423] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0146.423] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x1a0) returned 0x35f6c0 [0146.423] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0146.423] GetLastError () returned 0x0 [0146.423] SetLastError (dwErrCode=0x0) [0146.423] GetEnvironmentStringsW () returned 0x35f870* [0146.423] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0xb32) returned 0x3603b0 [0146.423] FreeEnvironmentStringsW (penv=0x35f870) returned 1 [0146.423] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x128) returned 0x35f870 [0146.423] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x3e) returned 0x35b000 [0146.423] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x56) returned 0x35ade0 [0146.423] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x62) returned 0x360ef0 [0146.423] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x78) returned 0x35f9a0 [0146.423] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x62) returned 0x360f60 [0146.423] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x30) returned 0x35e920 [0146.423] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x48) returned 0x35b050 [0146.423] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x28) returned 0x3579c0 [0146.423] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x1a) returned 0x3579f0 [0146.423] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x34) returned 0x35e960 [0146.423] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x5c) returned 0x35fa20 [0146.423] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x32) returned 0x35e9a0 [0146.423] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x2e) returned 0x35e9e0 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x1c) returned 0x357a20 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x19c) returned 0x35fa90 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x7c) returned 0x35fc40 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x3a) returned 0x35b0a0 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x90) returned 0x35fcd0 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x24) returned 0x357a50 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x30) returned 0x35ea20 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x36) returned 0x35ea60 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x3c) returned 0x35b0f0 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x52) returned 0x35fd70 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x3c) returned 0x35b140 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xd6) returned 0x35fdd0 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x2e) returned 0x35eaa0 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x1e) returned 0x357a80 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x2c) returned 0x35eae0 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x54) returned 0x35feb0 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x52) returned 0x35ff10 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x2c) returned 0x35eb20 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x26) returned 0x357ab0 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x3e) returned 0x35b190 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x24) returned 0x357ae0 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x30) returned 0x35eb60 [0146.424] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x8c) returned 0x35ff70 [0146.425] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x3603b0 | out: hHeap=0x340000) returned 1 [0146.425] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x1000) returned 0x360fd0 [0146.425] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0146.425] GetStartupInfoW (in: lpStartupInfo=0x14fae0 | out: lpStartupInfo=0x14fae0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0146.425] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"%Temp%\\IXP000.TMP\\\"" [0146.426] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=FPH732n7 /fn_args=\"%Temp%\\IXP000.TMP\\\"", pNumArgs=0x14fab0 | out: pNumArgs=0x14fab0) returned 0x360490*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0146.426] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0146.494] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1000) returned 0x3640c0 [0146.494] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x12) returned 0x360ed0 [0146.494] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="FPH732n7", cchWideChar=-1, lpMultiByteStr=0x360ed0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FPH732n7", lpUsedDefaultChar=0x0) returned 9 [0146.494] GetLastError () returned 0x0 [0146.495] SetLastError (dwErrCode=0x0) [0146.495] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7W") returned 0x0 [0146.495] GetLastError () returned 0x7f [0146.495] SetLastError (dwErrCode=0x7f) [0146.495] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7A") returned 0x0 [0146.495] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="FPH732n7") returned 0x7fef2eb1cf0 [0146.495] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x26) returned 0x357b70 [0146.495] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="%Temp%\\IXP000.TMP\"", cchWideChar=-1, lpMultiByteStr=0x357b70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="%Temp%\\IXP000.TMP\"", lpUsedDefaultChar=0x0) returned 19 [0146.495] GetActiveWindow () returned 0x0 [0146.501] GetLastError () returned 0x7f [0146.501] SetLastError (dwErrCode=0x7f) Process: id = "47" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x380d5000" os_pid = "0x88c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"%Temp%\\IXP000.TMP\\\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3246 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3247 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3248 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3249 start_va = 0x190000 end_va = 0x28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 3250 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3251 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3252 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3253 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 3254 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3255 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3256 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 3257 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3258 start_va = 0x290000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 3259 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3260 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3261 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3262 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3263 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3264 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3265 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3266 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3267 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3268 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3269 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3270 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3271 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3272 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3273 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3274 start_va = 0xc0000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 3275 start_va = 0x290000 end_va = 0x38ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 3276 start_va = 0x400000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3277 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3278 start_va = 0x180000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 3279 start_va = 0x500000 end_va = 0x687fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 3280 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3281 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3282 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3283 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3284 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 3285 start_va = 0x690000 end_va = 0x810fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 3286 start_va = 0x820000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 3292 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 3293 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 3294 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3295 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 3296 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Thread: id = 198 os_tid = 0x610 [0146.514] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fd58 | out: lpSystemTimeAsFileTime=0x28fd58*(dwLowDateTime=0x476214a0, dwHighDateTime=0x1d937fd)) [0146.514] GetCurrentThreadId () returned 0x610 [0146.514] GetCurrentProcessId () returned 0x88c [0146.514] QueryPerformanceCounter (in: lpPerformanceCount=0x28fd60 | out: lpPerformanceCount=0x28fd60*=3330627164512) returned 1 [0146.516] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0146.518] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0146.518] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0146.518] GetLastError () returned 0x7e [0146.518] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0146.518] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0146.519] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0146.519] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0146.520] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0146.521] GetProcessHeap () returned 0x400000 [0146.521] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0146.521] GetLastError () returned 0x7e [0146.521] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0146.521] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0146.521] GetLastError () returned 0x7e [0146.521] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0146.521] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0146.521] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x3c8) returned 0x41cfd0 [0146.522] SetLastError (dwErrCode=0x7e) [0146.522] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x1200) returned 0x41d3a0 [0146.524] GetStartupInfoW (in: lpStartupInfo=0x28fc30 | out: lpStartupInfo=0x28fc30*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x28fcb8, hStdError=0x1)) [0146.524] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0146.524] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0146.524] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0146.524] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"%Temp%\\IXP000.TMP\\\"" [0146.524] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"%Temp%\\IXP000.TMP\\\"" [0146.524] GetACP () returned 0x4e4 [0146.525] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x0, Size=0x228) returned 0x41abb0 [0146.525] IsValidCodePage (CodePage=0x4e4) returned 1 [0146.525] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x28fbf0 | out: lpCPInfo=0x28fbf0) returned 1 [0146.525] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x28f490 | out: lpCPInfo=0x28f490) returned 1 [0146.525] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f4b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0146.525] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f4b0, cbMultiByte=256, lpWideCharStr=0x28f1e0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0146.525] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x28f7b0 | out: lpCharType=0x28f7b0) returned 1 [0146.525] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f4b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0146.525] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f4b0, cbMultiByte=256, lpWideCharStr=0x28f180, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0146.525] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0146.525] GetLastError () returned 0x7e [0146.525] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0146.525] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0146.526] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x28ef70, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0146.526] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x28f5b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ°«A", lpUsedDefaultChar=0x0) returned 256 [0146.526] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f4b0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0146.526] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f4b0, cbMultiByte=256, lpWideCharStr=0x28f180, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0146.526] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0146.526] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x28ef70, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0146.526] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x28f6b0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0146.526] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x0, Size=0x100) returned 0x41f5b0 [0146.526] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0146.526] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x1a0) returned 0x41f6c0 [0146.526] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0146.526] GetLastError () returned 0x0 [0146.526] SetLastError (dwErrCode=0x0) [0146.526] GetEnvironmentStringsW () returned 0x41f870* [0146.526] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x0, Size=0xb32) returned 0x4203b0 [0146.526] FreeEnvironmentStringsW (penv=0x41f870) returned 1 [0146.526] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x128) returned 0x41f870 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x3e) returned 0x41b000 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x56) returned 0x41ade0 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x62) returned 0x420ef0 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x78) returned 0x41f9a0 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x62) returned 0x420f60 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x30) returned 0x41e920 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x48) returned 0x41b050 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x28) returned 0x4179c0 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x1a) returned 0x4179f0 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x34) returned 0x41e960 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x5c) returned 0x41fa20 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x32) returned 0x41e9a0 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x2e) returned 0x41e9e0 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x1c) returned 0x417a20 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x19c) returned 0x41fa90 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x7c) returned 0x41fc40 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x3a) returned 0x41b0a0 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x90) returned 0x41fcd0 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x24) returned 0x417a50 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x30) returned 0x41ea20 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x36) returned 0x41ea60 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x3c) returned 0x41b0f0 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x52) returned 0x41fd70 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x3c) returned 0x41b140 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0xd6) returned 0x41fdd0 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x2e) returned 0x41eaa0 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x1e) returned 0x417a80 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x2c) returned 0x41eae0 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x54) returned 0x41feb0 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x52) returned 0x41ff10 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x2c) returned 0x41eb20 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x26) returned 0x417ab0 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x3e) returned 0x41b190 [0146.527] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x24) returned 0x417ae0 [0146.528] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x30) returned 0x41eb60 [0146.528] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x8c) returned 0x41ff70 [0146.528] HeapFree (in: hHeap=0x400000, dwFlags=0x0, lpMem=0x4203b0 | out: hHeap=0x400000) returned 1 [0146.528] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x8, Size=0x1000) returned 0x420fd0 [0146.529] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0146.529] GetStartupInfoW (in: lpStartupInfo=0x28fcc0 | out: lpStartupInfo=0x28fcc0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0146.529] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"%Temp%\\IXP000.TMP\\\"" [0146.529] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=KlXWgB9j /fn_args=\"%Temp%\\IXP000.TMP\\\"", pNumArgs=0x28fc90 | out: pNumArgs=0x28fc90) returned 0x420490*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0146.529] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0146.534] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x0, Size=0x1000) returned 0x4240c0 [0146.534] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x0, Size=0x12) returned 0x420ed0 [0146.534] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="KlXWgB9j", cchWideChar=-1, lpMultiByteStr=0x420ed0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="KlXWgB9j", lpUsedDefaultChar=0x0) returned 9 [0146.534] GetLastError () returned 0x0 [0146.535] SetLastError (dwErrCode=0x0) [0146.535] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9jW") returned 0x0 [0146.535] GetLastError () returned 0x7f [0146.535] SetLastError (dwErrCode=0x7f) [0146.535] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9jA") returned 0x0 [0146.535] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="KlXWgB9j") returned 0x7fef2eb0010 [0146.535] RtlAllocateHeap (HeapHandle=0x400000, Flags=0x0, Size=0x26) returned 0x417b70 [0146.535] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="%Temp%\\IXP000.TMP\"", cchWideChar=-1, lpMultiByteStr=0x417b70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="%Temp%\\IXP000.TMP\"", lpUsedDefaultChar=0x0) returned 19 [0146.535] GetActiveWindow () returned 0x0 [0146.646] GetLastError () returned 0x7f [0146.646] SetLastError (dwErrCode=0x7f) Process: id = "48" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x34de1000" os_pid = "0xcb0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"%Temp%\\IXP000.TMP\\\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3314 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3315 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3316 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3317 start_va = 0x170000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3318 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3319 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3320 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3321 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 3322 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3323 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3324 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 3325 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3326 start_va = 0x270000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 3327 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3328 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3329 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3330 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3331 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3332 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3333 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3334 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3335 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3336 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3337 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3338 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3339 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3340 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3341 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3342 start_va = 0x440000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 3343 start_va = 0x440000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 3344 start_va = 0x540000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 3352 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3353 start_va = 0x550000 end_va = 0x6d7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 3354 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3355 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3356 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3357 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3358 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 3359 start_va = 0x6e0000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 3360 start_va = 0x870000 end_va = 0x1c6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 3361 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 3362 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 3363 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3364 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 3365 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Thread: id = 200 os_tid = 0xcb8 [0150.417] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fb38 | out: lpSystemTimeAsFileTime=0x26fb38*(dwLowDateTime=0x490871a0, dwHighDateTime=0x1d937fd)) [0150.417] GetCurrentThreadId () returned 0xcb8 [0150.417] GetCurrentProcessId () returned 0xcb0 [0150.417] QueryPerformanceCounter (in: lpPerformanceCount=0x26fb40 | out: lpPerformanceCount=0x26fb40*=3331017383452) returned 1 [0150.417] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0150.419] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0150.419] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0150.420] GetLastError () returned 0x7e [0150.420] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0150.420] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0150.420] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0150.421] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0150.421] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0150.421] GetProcessHeap () returned 0x340000 [0150.421] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0150.422] GetLastError () returned 0x7e [0150.422] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0150.422] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0150.422] GetLastError () returned 0x7e [0150.422] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0150.422] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0150.422] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x3c8) returned 0x35cfd0 [0150.422] SetLastError (dwErrCode=0x7e) [0150.422] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x1200) returned 0x35d3a0 [0150.424] GetStartupInfoW (in: lpStartupInfo=0x26fa10 | out: lpStartupInfo=0x26fa10*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x26fa98, hStdError=0x1)) [0150.425] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0150.425] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0150.425] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0150.425] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"%Temp%\\IXP000.TMP\\\"" [0150.425] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"%Temp%\\IXP000.TMP\\\"" [0150.425] GetACP () returned 0x4e4 [0150.425] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x228) returned 0x35abb0 [0150.425] IsValidCodePage (CodePage=0x4e4) returned 1 [0150.425] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x26f9d0 | out: lpCPInfo=0x26f9d0) returned 1 [0150.425] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x26f270 | out: lpCPInfo=0x26f270) returned 1 [0150.425] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f290, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0150.425] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f290, cbMultiByte=256, lpWideCharStr=0x26efc0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0150.425] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x26f590 | out: lpCharType=0x26f590) returned 1 [0150.425] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f290, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0150.425] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f290, cbMultiByte=256, lpWideCharStr=0x26ef60, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0150.425] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0150.426] GetLastError () returned 0x7e [0150.426] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0150.426] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0150.426] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x26ed50, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0150.426] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x26f390, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ°«5", lpUsedDefaultChar=0x0) returned 256 [0150.426] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f290, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0150.427] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x26f290, cbMultiByte=256, lpWideCharStr=0x26ef60, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0150.427] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0150.427] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x26ed50, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0150.427] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x26f490, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0150.427] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x100) returned 0x35f5b0 [0150.427] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0150.427] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x19e) returned 0x35f6c0 [0150.427] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0150.427] GetLastError () returned 0x0 [0150.427] SetLastError (dwErrCode=0x0) [0150.427] GetEnvironmentStringsW () returned 0x35f870* [0150.427] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0xb32) returned 0x3603b0 [0150.427] FreeEnvironmentStringsW (penv=0x35f870) returned 1 [0150.427] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x128) returned 0x35f870 [0150.427] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x3e) returned 0x35b000 [0150.427] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x56) returned 0x35ade0 [0150.427] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x62) returned 0x360ef0 [0150.427] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x78) returned 0x35f9a0 [0150.427] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x62) returned 0x360f60 [0150.427] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x30) returned 0x35e920 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x48) returned 0x35b050 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x28) returned 0x3579c0 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x1a) returned 0x3579f0 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x34) returned 0x35e960 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x5c) returned 0x35fa20 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x32) returned 0x35e9a0 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x2e) returned 0x35e9e0 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x1c) returned 0x357a20 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x19c) returned 0x35fa90 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x7c) returned 0x35fc40 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x3a) returned 0x35b0a0 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x90) returned 0x35fcd0 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x24) returned 0x357a50 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x30) returned 0x35ea20 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x36) returned 0x35ea60 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x3c) returned 0x35b0f0 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x52) returned 0x35fd70 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x3c) returned 0x35b140 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0xd6) returned 0x35fdd0 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x2e) returned 0x35eaa0 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x1e) returned 0x357a80 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x2c) returned 0x35eae0 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x54) returned 0x35feb0 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x52) returned 0x35ff10 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x2c) returned 0x35eb20 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x26) returned 0x357ab0 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x3e) returned 0x35b190 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x24) returned 0x357ae0 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x30) returned 0x35eb60 [0150.428] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x8c) returned 0x35ff70 [0150.429] HeapFree (in: hHeap=0x340000, dwFlags=0x0, lpMem=0x3603b0 | out: hHeap=0x340000) returned 1 [0150.429] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x8, Size=0x1000) returned 0x360fd0 [0150.430] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0150.430] GetStartupInfoW (in: lpStartupInfo=0x26faa0 | out: lpStartupInfo=0x26faa0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0150.430] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"%Temp%\\IXP000.TMP\\\"" [0150.430] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=LKKIJ77 /fn_args=\"%Temp%\\IXP000.TMP\\\"", pNumArgs=0x26fa70 | out: pNumArgs=0x26fa70) returned 0x360490*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0150.430] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0150.440] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x1000) returned 0x3640c0 [0150.440] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x10) returned 0x360ed0 [0150.441] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="LKKIJ77", cchWideChar=-1, lpMultiByteStr=0x360ed0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="LKKIJ77", lpUsedDefaultChar=0x0) returned 8 [0150.441] GetLastError () returned 0x0 [0150.441] SetLastError (dwErrCode=0x0) [0150.441] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77W") returned 0x0 [0150.441] GetLastError () returned 0x7f [0150.441] SetLastError (dwErrCode=0x7f) [0150.441] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77A") returned 0x0 [0150.441] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="LKKIJ77") returned 0x7fef2ea6420 [0150.441] RtlAllocateHeap (HeapHandle=0x340000, Flags=0x0, Size=0x26) returned 0x357b70 [0150.441] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="%Temp%\\IXP000.TMP\"", cchWideChar=-1, lpMultiByteStr=0x357b70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="%Temp%\\IXP000.TMP\"", lpUsedDefaultChar=0x0) returned 19 [0150.441] GetActiveWindow () returned 0x0 [0150.459] GetLastError () returned 0x7f [0150.459] SetLastError (dwErrCode=0x7f) Process: id = "49" image_name = "mrnqsjgq.exe" filename = "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe" page_root = "0x357ed000" os_pid = "0xce4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xfc4" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"%Temp%\\IXP000.TMP\\\"" cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f3d7" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3368 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3369 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3370 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3371 start_va = 0xf0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3372 start_va = 0x77280000 end_va = 0x77428fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3373 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3374 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3375 start_va = 0x13f8e0000 end_va = 0x13f907fff monitored = 1 entry_point = 0x13f8e1e8c region_type = mapped_file name = "mrnqsjgq.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe") Region: id = 3376 start_va = 0x7feff5a0000 end_va = 0x7feff5a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3377 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3378 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 3379 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3380 start_va = 0x1f0000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3381 start_va = 0x77160000 end_va = 0x7727efff monitored = 0 entry_point = 0x77175340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3382 start_va = 0x7fefd4d0000 end_va = 0x7fefd53bfff monitored = 0 entry_point = 0x7fefd4d2780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3383 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3384 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3385 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3386 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3387 start_va = 0x77060000 end_va = 0x77159fff monitored = 0 entry_point = 0x7707a2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3388 start_va = 0x7fefed00000 end_va = 0x7fefed66fff monitored = 0 entry_point = 0x7fefed0b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3389 start_va = 0x7fefd940000 end_va = 0x7fefd94dfff monitored = 0 entry_point = 0x7fefd941080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3390 start_va = 0x7fefdd50000 end_va = 0x7fefde18fff monitored = 0 entry_point = 0x7fefddca874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3391 start_va = 0x7fefebb0000 end_va = 0x7fefec4efff monitored = 0 entry_point = 0x7fefebb25a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3392 start_va = 0x7fefde20000 end_va = 0x7fefeba7fff monitored = 0 entry_point = 0x7fefde9cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3393 start_va = 0x7fefec80000 end_va = 0x7fefecf0fff monitored = 0 entry_point = 0x7fefec91e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3394 start_va = 0x7fefd730000 end_va = 0x7fefd932fff monitored = 0 entry_point = 0x7fefd753330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3395 start_va = 0x7fefd5a0000 end_va = 0x7fefd6ccfff monitored = 0 entry_point = 0x7fefd5eed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3396 start_va = 0x1f0000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3397 start_va = 0x370000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 3398 start_va = 0x270000 end_va = 0x36ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 3399 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3400 start_va = 0x470000 end_va = 0x5f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3401 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3402 start_va = 0x7fefec50000 end_va = 0x7fefec7dfff monitored = 0 entry_point = 0x7fefec51010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3403 start_va = 0x7fefed80000 end_va = 0x7fefee88fff monitored = 0 entry_point = 0x7fefed81064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3404 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3405 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 3406 start_va = 0x600000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 3407 start_va = 0x790000 end_va = 0x1b8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 3408 start_va = 0x7fefa010000 end_va = 0x7fefa012fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 3409 start_va = 0x7fef2ea0000 end_va = 0x7fef2f87fff monitored = 1 entry_point = 0x7fef2ea2ea0 region_type = mapped_file name = "51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" filename = "\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll" (normalized: "c:\\users\\keecfmwgj\\desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") Region: id = 3410 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3415 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 3416 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 3417 start_va = 0x260000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 3444 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 3445 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Thread: id = 203 os_tid = 0xce8 [0150.960] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ef8f8 | out: lpSystemTimeAsFileTime=0x1ef8f8*(dwLowDateTime=0x49564380, dwHighDateTime=0x1d937fd)) [0150.960] GetCurrentThreadId () returned 0xce8 [0150.960] GetCurrentProcessId () returned 0xce4 [0150.960] QueryPerformanceCounter (in: lpPerformanceCount=0x1ef900 | out: lpPerformanceCount=0x1ef900*=3331071730173) returned 1 [0150.961] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0150.964] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0150.964] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0150.964] GetLastError () returned 0x7e [0150.964] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0150.965] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0150.965] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0150.966] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7fefa010000 [0150.966] GetProcAddress (hModule=0x7fefa010000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0150.967] GetProcessHeap () returned 0x370000 [0150.967] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0150.967] GetLastError () returned 0x7e [0150.967] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x77160000 [0150.967] GetProcAddress (hModule=0x77160000, lpProcName="FlsAlloc") returned 0x77176630 [0150.967] GetLastError () returned 0x7e [0150.967] GetProcAddress (hModule=0x77160000, lpProcName="FlsGetValue") returned 0x77181f00 [0150.968] GetProcAddress (hModule=0x77160000, lpProcName="FlsSetValue") returned 0x7717b1c0 [0150.968] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x3c8) returned 0x38cfd0 [0150.968] SetLastError (dwErrCode=0x7e) [0150.968] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x1200) returned 0x38d3a0 [0150.970] GetStartupInfoW (in: lpStartupInfo=0x1ef7d0 | out: lpStartupInfo=0x1ef7d0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x1ef858, hStdError=0x1)) [0150.970] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0150.970] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0150.970] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0150.970] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"%Temp%\\IXP000.TMP\\\"" [0150.970] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"%Temp%\\IXP000.TMP\\\"" [0150.970] GetACP () returned 0x4e4 [0150.970] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x0, Size=0x228) returned 0x38abb0 [0150.970] IsValidCodePage (CodePage=0x4e4) returned 1 [0150.970] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1ef790 | out: lpCPInfo=0x1ef790) returned 1 [0150.970] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x1ef030 | out: lpCPInfo=0x1ef030) returned 1 [0150.970] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ef050, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0150.970] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ef050, cbMultiByte=256, lpWideCharStr=0x1eed80, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ") returned 256 [0150.970] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿҴ", cchSrc=256, lpCharType=0x1ef350 | out: lpCharType=0x1ef350) returned 1 [0150.971] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ef050, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0150.971] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ef050, cbMultiByte=256, lpWideCharStr=0x1eed20, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0150.971] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0150.971] GetLastError () returned 0x7e [0150.971] GetProcAddress (hModule=0x77160000, lpProcName="LCMapStringEx") returned 0x771abaf0 [0150.971] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0150.972] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1eeb10, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0150.972] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x1ef150, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ°«8", lpUsedDefaultChar=0x0) returned 256 [0150.972] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ef050, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0150.972] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x1ef050, cbMultiByte=256, lpWideCharStr=0x1eed20, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0150.972] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0150.972] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x1eeb10, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0150.972] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x1ef250, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0151.026] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x0, Size=0x100) returned 0x38f5b0 [0151.026] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f902300, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\mrnqsjgq.exe")) returned 0x27 [0151.026] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x1a4) returned 0x38f6c0 [0151.026] RtlInitializeSListHead (in: ListHead=0x13f902160 | out: ListHead=0x13f902160) [0151.026] GetLastError () returned 0x0 [0151.026] SetLastError (dwErrCode=0x0) [0151.026] GetEnvironmentStringsW () returned 0x38f870* [0151.026] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x0, Size=0xb32) returned 0x3903b0 [0151.026] FreeEnvironmentStringsW (penv=0x38f870) returned 1 [0151.026] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x128) returned 0x38f870 [0151.026] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x3e) returned 0x38b000 [0151.026] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x56) returned 0x38ade0 [0151.026] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x62) returned 0x390ef0 [0151.026] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x78) returned 0x38f9a0 [0151.026] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x62) returned 0x390f60 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x30) returned 0x38e920 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x48) returned 0x38b050 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x28) returned 0x3879c0 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x1a) returned 0x3879f0 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x34) returned 0x38e960 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x5c) returned 0x38fa20 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x32) returned 0x38e9a0 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x2e) returned 0x38e9e0 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x1c) returned 0x387a20 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x19c) returned 0x38fa90 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x7c) returned 0x38fc40 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x3a) returned 0x38b0a0 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x90) returned 0x38fcd0 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x24) returned 0x387a50 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x30) returned 0x38ea20 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x36) returned 0x38ea60 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x3c) returned 0x38b0f0 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x52) returned 0x38fd70 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x3c) returned 0x38b140 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0xd6) returned 0x38fdd0 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x2e) returned 0x38eaa0 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x1e) returned 0x387a80 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x2c) returned 0x38eae0 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x54) returned 0x38feb0 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x52) returned 0x38ff10 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x2c) returned 0x38eb20 [0151.027] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x26) returned 0x387ab0 [0151.028] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x3e) returned 0x38b190 [0151.028] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x24) returned 0x387ae0 [0151.028] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x30) returned 0x38eb60 [0151.028] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x8c) returned 0x38ff70 [0151.029] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x3903b0 | out: hHeap=0x370000) returned 1 [0151.029] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x8, Size=0x1000) returned 0x390fd0 [0151.030] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f8e2580) returned 0x0 [0151.030] GetStartupInfoW (in: lpStartupInfo=0x1ef860 | out: lpStartupInfo=0x1ef860*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0151.030] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"%Temp%\\IXP000.TMP\\\"" [0151.030] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe\" /dll=\"C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll\" /fn_id=MMlFUh3Tzt /fn_args=\"%Temp%\\IXP000.TMP\\\"", pNumArgs=0x1ef830 | out: pNumArgs=0x1ef830) returned 0x390490*="C:\\Users\\kEecfMwgj\\Desktop\\mrNQSJGq.exe" [0151.030] LoadLibraryW (lpLibFileName="C:\\Users\\KEECFM~1\\Desktop\\51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656.exe.dll") returned 0x7fef2ea0000 [0151.036] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x0, Size=0x1000) returned 0x3940c0 [0151.036] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x0, Size=0x16) returned 0x390ed0 [0151.036] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="MMlFUh3Tzt", cchWideChar=-1, lpMultiByteStr=0x390ed0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MMlFUh3Tzt", lpUsedDefaultChar=0x0) returned 11 [0151.036] GetLastError () returned 0x0 [0151.036] SetLastError (dwErrCode=0x0) [0151.036] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3TztW") returned 0x0 [0151.036] GetLastError () returned 0x7f [0151.037] SetLastError (dwErrCode=0x7f) [0151.037] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3TztA") returned 0x0 [0151.037] GetProcAddress (hModule=0x7fef2ea0000, lpProcName="MMlFUh3Tzt") returned 0x7fef2eb0cf0 [0151.037] RtlAllocateHeap (HeapHandle=0x370000, Flags=0x0, Size=0x26) returned 0x387b70 [0151.037] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="%Temp%\\IXP000.TMP\"", cchWideChar=-1, lpMultiByteStr=0x387b70, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="%Temp%\\IXP000.TMP\"", lpUsedDefaultChar=0x0) returned 19 [0151.037] GetActiveWindow () returned 0x0 [0151.053] GetLastError () returned 0x7f [0151.053] SetLastError (dwErrCode=0x7f)