# Flog Txt Version 1 # Analyzer Version: 4.5.1 # Analyzer Build Date: May 9 2022 06:24:19 # Log Creation Date: 04.07.2022 12:01:29.851 Process: id = "1" image_name = "itsdzl.exe" filename = "c:\\users\\rdhj0cnfevzx\\desktop\\itsdzl.exe" page_root = "0x4a45a000" os_pid = "0xd7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x81c" cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\iTsDZL.exe\" \"C:\\Users\\RDHJ0C~1\\Desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f46a" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 121 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 122 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 123 start_va = 0x50000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 124 start_va = 0x150000 end_va = 0x153fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 125 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 126 start_va = 0x170000 end_va = 0x171fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 127 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 128 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 129 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 130 start_va = 0x7ff6eab40000 end_va = 0x7ff6eab61fff monitored = 1 entry_point = 0x7ff6eab416cc region_type = mapped_file name = "itsdzl.exe" filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\iTsDZL.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\itsdzl.exe") Region: id = 131 start_va = 0x7ff92a680000 end_va = 0x7ff92a840fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 270 start_va = 0x5c0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 271 start_va = 0x7ff9271d0000 end_va = 0x7ff9273b7fff monitored = 0 entry_point = 0x7ff9271fba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 272 start_va = 0x7ff927b50000 end_va = 0x7ff927bfcfff monitored = 0 entry_point = 0x7ff927b681a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 273 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 274 start_va = 0x7ff5ffed0000 end_va = 0x7ff5fffcffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5ffed0000" filename = "" Region: id = 275 start_va = 0x400000 end_va = 0x4bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 276 start_va = 0x7ff925490000 end_va = 0x7ff925508fff monitored = 0 entry_point = 0x7ff9254afb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 277 start_va = 0x7ff5ffe50000 end_va = 0x7ff5ffecdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\apppatch64\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\apppatch64\\sysmain.sdb") Region: id = 278 start_va = 0x7ff92a520000 end_va = 0x7ff92a675fff monitored = 0 entry_point = 0x7ff92a52a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 279 start_va = 0x7ff929ee0000 end_va = 0x7ff92a065fff monitored = 0 entry_point = 0x7ff929f2ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 280 start_va = 0x4c0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 281 start_va = 0x7ff928830000 end_va = 0x7ff9288d6fff monitored = 0 entry_point = 0x7ff9288458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 282 start_va = 0x7ff929e40000 end_va = 0x7ff929edcfff monitored = 0 entry_point = 0x7ff929e478a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 283 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 284 start_va = 0x7ff927af0000 end_va = 0x7ff927b4afff monitored = 0 entry_point = 0x7ff927b038b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 285 start_va = 0x7ff928540000 end_va = 0x7ff92865bfff monitored = 0 entry_point = 0x7ff9285802b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 286 start_va = 0x7ff9288e0000 end_va = 0x7ff929e3efff monitored = 0 entry_point = 0x7ff928a411f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 287 start_va = 0x7ff927180000 end_va = 0x7ff9271c2fff monitored = 0 entry_point = 0x7ff927194b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 288 start_va = 0x7ff9273c0000 end_va = 0x7ff927a03fff monitored = 0 entry_point = 0x7ff9275864b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 289 start_va = 0x7ff9282c0000 end_va = 0x7ff92853cfff monitored = 0 entry_point = 0x7ff928394970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 290 start_va = 0x7ff927a10000 end_va = 0x7ff927a79fff monitored = 0 entry_point = 0x7ff927a46d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 291 start_va = 0x7ff927ed0000 end_va = 0x7ff927f21fff monitored = 0 entry_point = 0x7ff927edf530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 292 start_va = 0x7ff926ca0000 end_va = 0x7ff926caefff monitored = 0 entry_point = 0x7ff926ca3210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 293 start_va = 0x7ff926ed0000 end_va = 0x7ff926f84fff monitored = 0 entry_point = 0x7ff926f122e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 294 start_va = 0x7ff926cb0000 end_va = 0x7ff926cfafff monitored = 0 entry_point = 0x7ff926cb35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 295 start_va = 0x7ff926d00000 end_va = 0x7ff926d13fff monitored = 0 entry_point = 0x7ff926d052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 296 start_va = 0x180000 end_va = 0x1b8fff monitored = 0 entry_point = 0x1812f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 297 start_va = 0x6c0000 end_va = 0x847fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 298 start_va = 0x7ff927c80000 end_va = 0x7ff927cbafff monitored = 0 entry_point = 0x7ff927c812f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 299 start_va = 0x850000 end_va = 0x9d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 300 start_va = 0x9e0000 end_va = 0x1ddffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 301 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 302 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 303 start_va = 0x1de0000 end_va = 0x1f4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001de0000" filename = "" Region: id = 304 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 305 start_va = 0x1f50000 end_va = 0x2286fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 306 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 307 start_va = 0x1de0000 end_va = 0x1edffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001de0000" filename = "" Region: id = 308 start_va = 0x1f40000 end_va = 0x1f4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f40000" filename = "" Region: id = 309 start_va = 0x7ff928110000 end_va = 0x7ff928252fff monitored = 0 entry_point = 0x7ff928138210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 310 start_va = 0x2290000 end_va = 0x234ffff monitored = 0 entry_point = 0x22b0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 311 start_va = 0x2290000 end_va = 0x236cfff monitored = 0 entry_point = 0x22ee0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 312 start_va = 0x7ff925530000 end_va = 0x7ff9255c5fff monitored = 0 entry_point = 0x7ff925555570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 313 start_va = 0x2290000 end_va = 0x238ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002290000" filename = "" Region: id = 314 start_va = 0x7ff925130000 end_va = 0x7ff9252b5fff monitored = 0 entry_point = 0x7ff92517d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 315 start_va = 0x7ff928040000 end_va = 0x7ff928100fff monitored = 0 entry_point = 0x7ff928060da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 316 start_va = 0x2290000 end_va = 0x236cfff monitored = 0 entry_point = 0x22ee0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 317 start_va = 0x2380000 end_va = 0x238ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002380000" filename = "" Region: id = 318 start_va = 0x2390000 end_va = 0x248ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002390000" filename = "" Region: id = 319 start_va = 0x2490000 end_va = 0x258ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002490000" filename = "" Region: id = 320 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 321 start_va = 0x2590000 end_va = 0x268ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002590000" filename = "" Region: id = 322 start_va = 0x7ff927cc0000 end_va = 0x7ff927d66fff monitored = 0 entry_point = 0x7ff927ccb4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 323 start_va = 0x7ff924370000 end_va = 0x7ff924802fff monitored = 0 entry_point = 0x7ff92437f760 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 324 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 325 start_va = 0x2690000 end_va = 0x278ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002690000" filename = "" Region: id = 326 start_va = 0x1e0000 end_va = 0x1e3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 327 start_va = 0x1ee0000 end_va = 0x1f24fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db") Region: id = 328 start_va = 0x1f0000 end_va = 0x1f3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 329 start_va = 0x2290000 end_va = 0x231dfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 330 start_va = 0x1f30000 end_va = 0x1f31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f30000" filename = "" Region: id = 331 start_va = 0x2320000 end_va = 0x2320fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002320000" filename = "" Region: id = 332 start_va = 0x2790000 end_va = 0x2b8afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002790000" filename = "" Region: id = 333 start_va = 0x2330000 end_va = 0x2333fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 334 start_va = 0x2340000 end_va = 0x2353fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000e.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000e.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000e.db") Region: id = 335 start_va = 0x2b90000 end_va = 0x2c8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b90000" filename = "" Region: id = 336 start_va = 0x2360000 end_va = 0x2360fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002360000" filename = "" Region: id = 337 start_va = 0x7ff917680000 end_va = 0x7ff917837fff monitored = 0 entry_point = 0x7ff9176ee630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 338 start_va = 0x7ff920de0000 end_va = 0x7ff921161fff monitored = 0 entry_point = 0x7ff920e31220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 339 start_va = 0x7ff926920000 end_va = 0x7ff92694cfff monitored = 0 entry_point = 0x7ff926939d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 340 start_va = 0x2330000 end_va = 0x2330fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002330000" filename = "" Region: id = 341 start_va = 0x7ff5ffe50000 end_va = 0x7ff5ffecdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\apppatch64\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\apppatch64\\sysmain.sdb") Region: id = 354 start_va = 0x7ff918470000 end_va = 0x7ff91847ffff monitored = 0 entry_point = 0x7ff918473d50 region_type = mapped_file name = "pcacli.dll" filename = "\\Windows\\System32\\pcacli.dll" (normalized: "c:\\windows\\system32\\pcacli.dll") Region: id = 355 start_va = 0x7ff91e920000 end_va = 0x7ff91e93afff monitored = 0 entry_point = 0x7ff91e921040 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Thread: id = 1 os_tid = 0x5d4 [0088.175] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7ff9271d0000 [0088.176] GetProcAddress (hModule=0x7ff9271d0000, lpProcName="InitializeCriticalSectionEx") returned 0x7ff927227c50 [0088.176] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x7ff9271d0000 [0088.176] GetProcAddress (hModule=0x7ff9271d0000, lpProcName="FlsAlloc") returned 0x7ff927237e50 [0088.176] GetProcAddress (hModule=0x7ff9271d0000, lpProcName="FlsSetValue") returned 0x7ff927223cb0 [0088.178] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x7ff9271d0000 [0088.178] GetProcAddress (hModule=0x7ff9271d0000, lpProcName="InitializeCriticalSectionEx") returned 0x7ff927227c50 [0088.178] GetProcessHeap () returned 0x5c0000 [0088.179] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x7ff9271d0000 [0088.179] GetProcAddress (hModule=0x7ff9271d0000, lpProcName="FlsAlloc") returned 0x7ff927237e50 [0088.179] GetLastError () returned 0x0 [0088.179] GetProcAddress (hModule=0x7ff9271d0000, lpProcName="FlsGetValue") returned 0x7ff927213780 [0088.179] GetProcAddress (hModule=0x7ff9271d0000, lpProcName="FlsSetValue") returned 0x7ff927223cb0 [0088.180] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x3c8) returned 0x5d0320 [0088.180] SetLastError (dwErrCode=0x0) [0088.180] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x1200) returned 0x5d6f40 [0088.182] GetStartupInfoW (in: lpStartupInfo=0x14fe10 | out: lpStartupInfo=0x14fe10*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iTsDZL.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0088.182] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0088.182] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0088.182] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0088.182] GetCommandLineA () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\iTsDZL.exe\" \"C:\\Users\\RDHJ0C~1\\Desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx\"" [0088.182] GetCommandLineW () returned="\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\iTsDZL.exe\" \"C:\\Users\\RDHJ0C~1\\Desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx\"" [0088.183] GetACP () returned 0x4e4 [0088.183] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x228) returned 0x5cf850 [0088.183] IsValidCodePage (CodePage=0x4e4) returned 1 [0088.183] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x14fdd0 | out: lpCPInfo=0x14fdd0) returned 1 [0088.183] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x14f670 | out: lpCPInfo=0x14f670) returned 1 [0088.183] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f690, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0088.184] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f690, cbMultiByte=256, lpWideCharStr=0x14f3c0, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0088.184] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpCharType=0x14f990 | out: lpCharType=0x14f990) returned 1 [0088.185] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f690, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0088.185] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f690, cbMultiByte=256, lpWideCharStr=0x14f360, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0088.185] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x7ff9271d0000 [0088.185] GetProcAddress (hModule=0x7ff9271d0000, lpProcName="LCMapStringEx") returned 0x7ff9271e5350 [0088.185] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0088.185] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x14f150, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0088.185] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x14f790, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", lpUsedDefaultChar=0x0) returned 256 [0088.185] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f690, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0088.186] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f690, cbMultiByte=256, lpWideCharStr=0x14f360, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0088.186] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0088.186] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x14f150, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0088.186] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x14f890, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0088.186] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x100) returned 0x5d5ad0 [0088.186] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7ff6eab5c660, nSize=0x104 | out: lpFilename="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iTsDZL.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\itsdzl.exe")) returned 0x28 [0088.186] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x130) returned 0x5cc1a0 [0088.186] RtlInitializeSListHead (in: ListHead=0x7ff6eab5c4c0 | out: ListHead=0x7ff6eab5c4c0) [0088.186] GetLastError () returned 0x0 [0088.186] SetLastError (dwErrCode=0x0) [0088.186] GetEnvironmentStringsW () returned 0x5d8150* [0088.186] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x0, Size=0x9cc) returned 0x5d8b30 [0088.186] FreeEnvironmentStringsW (penv=0x5d8150) returned 1 [0088.186] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x118) returned 0x5ce9b0 [0088.186] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x3e) returned 0x5d61c0 [0088.186] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x5c) returned 0x5cfa80 [0088.186] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x62) returned 0x5c8f00 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x78) returned 0x5cbf10 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x62) returned 0x5cb640 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x28) returned 0x5d0190 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x48) returned 0x5d6120 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x1a) returned 0x5d02b0 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x3a) returned 0x5d6030 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x62) returned 0x5c8c70 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x2a) returned 0x5cbf90 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x2e) returned 0x5c8f70 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x1c) returned 0x5cfe00 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xd2) returned 0x5c0750 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x7c) returned 0x5c72d0 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x3a) returned 0x5d6490 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x90) returned 0x5c6f00 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x24) returned 0x5d0040 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x30) returned 0x5c8ce0 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x36) returned 0x5cb6b0 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x3c) returned 0x5d6b70 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x52) returned 0x5cd7a0 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x3c) returned 0x5d6300 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0xd6) returned 0x5c8b60 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x2e) returned 0x5cc2e0 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x1e) returned 0x5cfce0 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x2c) returned 0x5c6ad0 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x54) returned 0x5cd6e0 [0088.187] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x52) returned 0x5cd8c0 [0088.188] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x24) returned 0x5cfc80 [0088.188] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x42) returned 0x5d66c0 [0088.188] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x2c) returned 0x5c6b10 [0088.188] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x44) returned 0x5d6d00 [0088.188] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x24) returned 0x5cfdd0 [0088.188] HeapFree (in: hHeap=0x5c0000, dwFlags=0x0, lpMem=0x5d8b30 | out: hHeap=0x5c0000) returned 1 [0088.188] RtlAllocateHeap (HeapHandle=0x5c0000, Flags=0x8, Size=0x1000) returned 0x5d8150 [0088.189] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff6eab41dc0) returned 0x0 [0088.189] GetStartupInfoW (in: lpStartupInfo=0x14fea0 | out: lpStartupInfo=0x14fea0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iTsDZL.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0088.189] GetCurrentProcess () returned 0xffffffffffffffff [0088.189] IsWow64Process (in: hProcess=0xffffffffffffffff, Wow64Process=0x14fce0 | out: Wow64Process=0x14fce0*=0) returned 1 [0088.189] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects", ulOptions=0x0, samDesired=0x20019, phkResult=0x14fc60 | out: phkResult=0x14fc60*=0x144) returned 0x0 [0088.190] RegQueryInfoKeyW (in: hKey=0x144, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x14fce8, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x14fcf0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x14fce8*=0x2, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x14fcf0) returned 0x0 [0088.190] RegCloseKey (hKey=0x144) returned 0x0 [0088.190] GetActiveWindow () returned 0x0 [0088.190] ShellExecuteExW (in: pExecInfo=0x14fc70*(cbSize=0x70, fMask=0x40, hwnd=0x0, lpVerb="open", lpFile="\\Windows\\System32\\regsvr32.exe", lpParameters="\"C:\\Users\\RDHJ0C~1\\Desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx\"", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x14fc70*(cbSize=0x70, fMask=0x40, hwnd=0x0, lpVerb="open", lpFile="\\Windows\\System32\\regsvr32.exe", lpParameters="\"C:\\Users\\RDHJ0C~1\\Desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx\"", lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x310)) returned 1 [0097.287] WaitForSingleObject (hHandle=0x310, dwMilliseconds=0xffffffff) returned 0x0 [0115.020] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects", ulOptions=0x0, samDesired=0x20019, phkResult=0x14fc60 | out: phkResult=0x14fc60*=0x15c) returned 0x0 [0115.021] RegQueryInfoKeyW (in: hKey=0x15c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x14fce4, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x14fcf8 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x14fce4*=0x2, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x14fcf8) returned 0x0 [0115.021] RegCloseKey (hKey=0x15c) returned 0x0 [0115.021] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff6eab40000 [0115.021] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff6eab40000 [0115.022] HeapFree (in: hHeap=0x5c0000, dwFlags=0x0, lpMem=0x5d5ad0 | out: hHeap=0x5c0000) returned 1 [0115.024] HeapFree (in: hHeap=0x5c0000, dwFlags=0x0, lpMem=0x5d8150 | out: hHeap=0x5c0000) returned 1 [0115.024] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x7ff926ca0000 [0115.025] GetProcAddress (hModule=0x7ff926ca0000, lpProcName="AppPolicyGetProcessTerminationMethod") returned 0x0 [0115.025] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x14fe98 | out: phModule=0x14fe98) returned 0 [0115.025] ExitProcess (uExitCode=0x0) [0115.026] HeapFree (in: hHeap=0x5c0000, dwFlags=0x0, lpMem=0x5d0320 | out: hHeap=0x5c0000) returned 1 Thread: id = 2 os_tid = 0x434 Thread: id = 3 os_tid = 0x928 Thread: id = 4 os_tid = 0x838 Thread: id = 5 os_tid = 0xf10 Thread: id = 6 os_tid = 0xcc0 Thread: id = 7 os_tid = 0xa6c Thread: id = 8 os_tid = 0x304 Process: id = "2" image_name = "regsvr32.exe" filename = "c:\\windows\\system32\\regsvr32.exe" page_root = "0x5014b000" os_pid = "0xce8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xd7c" cmd_line = "\"C:\\Windows\\System32\\regsvr32.exe\" \"C:\\Users\\RDHJ0C~1\\Desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f46a" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 342 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 343 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 344 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 345 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 346 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 347 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 348 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 349 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 350 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 351 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 352 start_va = 0x7ff6e8c90000 end_va = 0x7ff6e8c98fff monitored = 1 entry_point = 0x7ff6e8c92810 region_type = mapped_file name = "regsvr32.exe" filename = "\\Windows\\System32\\regsvr32.exe" (normalized: "c:\\windows\\system32\\regsvr32.exe") Region: id = 353 start_va = 0x7ff92a680000 end_va = 0x7ff92a840fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 356 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 357 start_va = 0x460000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 358 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 359 start_va = 0x7ff9271d0000 end_va = 0x7ff9273b7fff monitored = 0 entry_point = 0x7ff9271fba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 360 start_va = 0x7ff927b50000 end_va = 0x7ff927bfcfff monitored = 0 entry_point = 0x7ff927b681a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 361 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 362 start_va = 0x7ff925490000 end_va = 0x7ff925508fff monitored = 0 entry_point = 0x7ff9254afb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 363 start_va = 0x7df5ffe40000 end_va = 0x7df5ffebdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\apppatch64\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\apppatch64\\sysmain.sdb") Region: id = 364 start_va = 0x7ff90e810000 end_va = 0x7ff90ec92fff monitored = 0 entry_point = 0x7ff90e814e70 region_type = mapped_file name = "aclayers.dll" filename = "\\Windows\\AppPatch\\apppatch64\\AcLayers.dll" (normalized: "c:\\windows\\apppatch\\apppatch64\\aclayers.dll") Region: id = 365 start_va = 0x7ff929e40000 end_va = 0x7ff929edcfff monitored = 0 entry_point = 0x7ff929e478a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 366 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 367 start_va = 0x7ff92a520000 end_va = 0x7ff92a675fff monitored = 0 entry_point = 0x7ff92a52a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 368 start_va = 0x7ff929ee0000 end_va = 0x7ff92a065fff monitored = 0 entry_point = 0x7ff929f2ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 369 start_va = 0x7ff927ed0000 end_va = 0x7ff927f21fff monitored = 0 entry_point = 0x7ff927edf530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 370 start_va = 0x7ff9282c0000 end_va = 0x7ff92853cfff monitored = 0 entry_point = 0x7ff928394970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 371 start_va = 0x7ff928540000 end_va = 0x7ff92865bfff monitored = 0 entry_point = 0x7ff9285802b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 372 start_va = 0x7ff927a10000 end_va = 0x7ff927a79fff monitored = 0 entry_point = 0x7ff927a46d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 373 start_va = 0x180000000 end_va = 0x180002fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 374 start_va = 0x7ff916410000 end_va = 0x7ff916493fff monitored = 0 entry_point = 0x7ff916422830 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 375 start_va = 0x7ff926b30000 end_va = 0x7ff926b58fff monitored = 0 entry_point = 0x7ff926b44530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 376 start_va = 0x7ff91a560000 end_va = 0x7ff91a570fff monitored = 0 entry_point = 0x7ff91a563e10 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 377 start_va = 0x560000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 378 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 379 start_va = 0x400000 end_va = 0x438fff monitored = 0 entry_point = 0x4012f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 380 start_va = 0x600000 end_va = 0x787fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 381 start_va = 0x7ff927c80000 end_va = 0x7ff927cbafff monitored = 0 entry_point = 0x7ff927c812f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 382 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 383 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 384 start_va = 0x1f0000 end_va = 0x1f1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "regsvr32.exe.mui" filename = "\\Windows\\System32\\en-US\\regsvr32.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\regsvr32.exe.mui") Region: id = 385 start_va = 0x790000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 386 start_va = 0x920000 end_va = 0x1d1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 387 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 388 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 389 start_va = 0x7ff928830000 end_va = 0x7ff9288d6fff monitored = 0 entry_point = 0x7ff9288458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 390 start_va = 0x7ff927af0000 end_va = 0x7ff927b4afff monitored = 0 entry_point = 0x7ff927b038b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 391 start_va = 0x560000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 392 start_va = 0x5f0000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 393 start_va = 0x7ff928110000 end_va = 0x7ff928252fff monitored = 0 entry_point = 0x7ff928138210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 394 start_va = 0x7ff91da80000 end_va = 0x7ff91dcf3fff monitored = 0 entry_point = 0x7ff91daf0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 395 start_va = 0x1d20000 end_va = 0x1ddffff monitored = 0 entry_point = 0x1d40da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 396 start_va = 0x420000 end_va = 0x420fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 397 start_va = 0x430000 end_va = 0x431fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 398 start_va = 0x1d20000 end_va = 0x1dfcfff monitored = 0 entry_point = 0x1d7e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 399 start_va = 0x7ff926ca0000 end_va = 0x7ff926caefff monitored = 0 entry_point = 0x7ff926ca3210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 400 start_va = 0x7ff925530000 end_va = 0x7ff9255c5fff monitored = 0 entry_point = 0x7ff925555570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 401 start_va = 0x1d20000 end_va = 0x1eaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d20000" filename = "" Region: id = 402 start_va = 0x1d20000 end_va = 0x1e20fff monitored = 1 entry_point = 0x1d77708 region_type = mapped_file name = "dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx" filename = "\\Users\\RDHJ0C~1\\Desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx") Region: id = 403 start_va = 0x1ea0000 end_va = 0x1eaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 404 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 405 start_va = 0x7ff927f30000 end_va = 0x7ff92803afff monitored = 0 entry_point = 0x7ff927f52300 region_type = mapped_file name = "comdlg32.dll" filename = "\\Windows\\System32\\comdlg32.dll" (normalized: "c:\\windows\\system32\\comdlg32.dll") Region: id = 406 start_va = 0x7ff926ed0000 end_va = 0x7ff926f84fff monitored = 0 entry_point = 0x7ff926f122e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 407 start_va = 0x7ff9288e0000 end_va = 0x7ff929e3efff monitored = 0 entry_point = 0x7ff928a411f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 408 start_va = 0x7ff927180000 end_va = 0x7ff9271c2fff monitored = 0 entry_point = 0x7ff927194b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 409 start_va = 0x7ff9273c0000 end_va = 0x7ff927a03fff monitored = 0 entry_point = 0x7ff9275864b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 410 start_va = 0x7ff926cb0000 end_va = 0x7ff926cfafff monitored = 0 entry_point = 0x7ff926cb35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 411 start_va = 0x7ff926d00000 end_va = 0x7ff926d13fff monitored = 0 entry_point = 0x7ff926d052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 412 start_va = 0x7ff926d30000 end_va = 0x7ff926db5fff monitored = 0 entry_point = 0x7ff926d3d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 413 start_va = 0x7ff926f90000 end_va = 0x7ff926fa6fff monitored = 0 entry_point = 0x7ff926f91390 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 414 start_va = 0x7ff928040000 end_va = 0x7ff928100fff monitored = 0 entry_point = 0x7ff928060da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 415 start_va = 0x7ff91e8c0000 end_va = 0x7ff91e8cbfff monitored = 0 entry_point = 0x7ff91e8c1860 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\System32\\davhlpr.dll" (normalized: "c:\\windows\\system32\\davhlpr.dll") Region: id = 416 start_va = 0x7ff925a20000 end_va = 0x7ff925a51fff monitored = 0 entry_point = 0x7ff925a32340 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 417 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 418 start_va = 0x1eb0000 end_va = 0x1f6bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001eb0000" filename = "" Region: id = 419 start_va = 0x440000 end_va = 0x443fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 420 start_va = 0x450000 end_va = 0x456fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 421 start_va = 0x1f70000 end_va = 0x215ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 422 start_va = 0x5e0000 end_va = 0x5e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 423 start_va = 0x1f70000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 424 start_va = 0x2150000 end_va = 0x215ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 425 start_va = 0x2160000 end_va = 0x80c7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002160000" filename = "" Region: id = 426 start_va = 0x1e30000 end_va = 0x1e30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e30000" filename = "" Region: id = 427 start_va = 0x1e40000 end_va = 0x1e6dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 428 start_va = 0x1e70000 end_va = 0x1e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e70000" filename = "" Region: id = 429 start_va = 0x2070000 end_va = 0x207ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002070000" filename = "" Region: id = 430 start_va = 0x7ff926fb0000 end_va = 0x7ff927176fff monitored = 0 entry_point = 0x7ff92700db80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 431 start_va = 0x7ff926d20000 end_va = 0x7ff926d2ffff monitored = 0 entry_point = 0x7ff926d256e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 432 start_va = 0x7ff917680000 end_va = 0x7ff917837fff monitored = 0 entry_point = 0x7ff9176ee630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 433 start_va = 0x7ff920de0000 end_va = 0x7ff921161fff monitored = 0 entry_point = 0x7ff920e31220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 434 start_va = 0x7ff926400000 end_va = 0x7ff92641efff monitored = 0 entry_point = 0x7ff926405d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 435 start_va = 0x7ff917eb0000 end_va = 0x7ff91813dfff monitored = 0 entry_point = 0x7ff917f80f00 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 436 start_va = 0x7ff925320000 end_va = 0x7ff925332fff monitored = 0 entry_point = 0x7ff925322760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 437 start_va = 0x2080000 end_va = 0x208ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 438 start_va = 0x2080000 end_va = 0x209ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 439 start_va = 0x20a0000 end_va = 0x20aefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020a0000" filename = "" Region: id = 440 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 441 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 442 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 443 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 444 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 445 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 446 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 447 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 448 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 449 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 450 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 451 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 452 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 453 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 454 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 455 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 456 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 457 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 458 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 459 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 460 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 461 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 462 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 463 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 464 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 465 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 466 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 467 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 468 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 469 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 470 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 471 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 472 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 473 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 474 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 475 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 476 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 477 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 478 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 479 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 480 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 481 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 482 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 483 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 484 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 485 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 486 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 487 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 488 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 489 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 490 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 491 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 492 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 493 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 494 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 495 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 496 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 497 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 498 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 499 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 500 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 501 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 502 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 503 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 504 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 505 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 506 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 507 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 508 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 509 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 510 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 511 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 512 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 513 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 514 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 515 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 516 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 517 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 518 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 519 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 520 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 521 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 522 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 523 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 524 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 525 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 526 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 527 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 528 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 529 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 530 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 531 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 532 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 533 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 534 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 535 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 536 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 537 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 538 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 539 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 540 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 541 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 542 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 543 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 544 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 545 start_va = 0x2080000 end_va = 0x208efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 546 start_va = 0x2080000 end_va = 0x2080fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 547 start_va = 0x2160000 end_va = 0x2496fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 548 start_va = 0x2090000 end_va = 0x2090fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002090000" filename = "" Region: id = 549 start_va = 0x7ff927cc0000 end_va = 0x7ff927d66fff monitored = 0 entry_point = 0x7ff927ccb4d0 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 550 start_va = 0x20a0000 end_va = 0x20a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020a0000" filename = "" Region: id = 551 start_va = 0x20b0000 end_va = 0x212ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020b0000" filename = "" Region: id = 552 start_va = 0x7ff925130000 end_va = 0x7ff9252b5fff monitored = 0 entry_point = 0x7ff92517d700 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 553 start_va = 0x2130000 end_va = 0x2133fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 554 start_va = 0x24a0000 end_va = 0x24b3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000e.db" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000e.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000e.db") Region: id = 555 start_va = 0x24c0000 end_va = 0x253ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024c0000" filename = "" Region: id = 556 start_va = 0x2140000 end_va = 0x2140fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002140000" filename = "" Region: id = 557 start_va = 0x2130000 end_va = 0x2130fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002130000" filename = "" Region: id = 558 start_va = 0x2130000 end_va = 0x2130fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002130000" filename = "" Region: id = 559 start_va = 0x2540000 end_va = 0x261cfff monitored = 0 entry_point = 0x259e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 560 start_va = 0x2540000 end_va = 0x25bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002540000" filename = "" Region: id = 561 start_va = 0x2130000 end_va = 0x2133fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 562 start_va = 0x25c0000 end_va = 0x2604fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db") Region: id = 563 start_va = 0x2610000 end_va = 0x2613fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 564 start_va = 0x2620000 end_va = 0x26adfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 565 start_va = 0x26b0000 end_va = 0x26b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000026b0000" filename = "" Region: id = 566 start_va = 0x26b0000 end_va = 0x26b7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows.storage.dll.mui" filename = "\\Windows\\System32\\en-US\\windows.storage.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\windows.storage.dll.mui") Region: id = 567 start_va = 0x7ff926190000 end_va = 0x7ff9261c0fff monitored = 0 entry_point = 0x7ff926197d10 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 568 start_va = 0x26c0000 end_va = 0x26c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000026c0000" filename = "" Region: id = 569 start_va = 0x26c0000 end_va = 0x26c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000026c0000" filename = "" Region: id = 570 start_va = 0x7ff92a4b0000 end_va = 0x7ff92a51efff monitored = 0 entry_point = 0x7ff92a4d5f70 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 571 start_va = 0x7ff918540000 end_va = 0x7ff91854cfff monitored = 0 entry_point = 0x7ff918541ea0 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 572 start_va = 0x7ff9185d0000 end_va = 0x7ff9186aafff monitored = 0 entry_point = 0x7ff9185e28b0 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 573 start_va = 0x7ff926920000 end_va = 0x7ff92694cfff monitored = 0 entry_point = 0x7ff926939d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 574 start_va = 0x7ff9185a0000 end_va = 0x7ff9185c5fff monitored = 0 entry_point = 0x7ff9185a1cf0 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 575 start_va = 0x7ff91e890000 end_va = 0x7ff91e8a1fff monitored = 0 entry_point = 0x7ff91e893580 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 585 start_va = 0x7df5ffe40000 end_va = 0x7df5ffebdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\apppatch64\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\apppatch64\\sysmain.sdb") Region: id = 589 start_va = 0x7ff9260b0000 end_va = 0x7ff9260bbfff monitored = 0 entry_point = 0x7ff9260b27e0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Thread: id = 9 os_tid = 0x9d8 [0100.390] GetStartupInfoW (in: lpStartupInfo=0xcfed0 | out: lpStartupInfo=0xcfed0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\regsvr32.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0100.390] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff6e8c90000 [0100.390] __set_app_type (_Type=0x2) [0100.390] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff6e8c92b20) returned 0x0 [0100.391] __wgetmainargs (in: _Argc=0x7ff6e8c950e8, _Argv=0x7ff6e8c950f0, _Env=0x7ff6e8c950f8, _DoWildCard=0, _StartInfo=0x7ff6e8c95104 | out: _Argc=0x7ff6e8c950e8, _Argv=0x7ff6e8c950f0, _Env=0x7ff6e8c950f8) returned 0 [0100.391] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0100.392] lstrlenW (lpString="C:\\Users\\RDHJ0C~1\\Desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx") returned 98 [0100.392] OleInitialize (pvReserved=0x0) returned 0x0 [0100.490] _wsplitpath_s (in: _FullPath="C:\\Users\\RDHJ0C~1\\Desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx", _Drive=0x0, _DriveCount=0x0, _Dir=0x0, _DirCount=0x0, _Filename=0x0, _FilenameCount=0x0, _Ext=0xce760, _ExtCount=0x100 | out: _Drive=0x0, _Dir=0x0, _Filename=0x0, _Ext=".ocx") returned 0x0 [0100.490] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".ocx", ulOptions=0x0, samDesired=0x1, phkResult=0xce538 | out: phkResult=0xce538*=0x13e) returned 0x0 [0100.491] RegQueryValueExW (in: hKey=0x13e, lpValueName=0x0, lpReserved=0x0, lpType=0x0, lpData=0xce550, lpcbData=0xce530*=0x200 | out: lpType=0x0, lpData=0xce550*=0x6f, lpcbData=0xce530*=0x10) returned 0x0 [0100.491] RegCloseKey (hKey=0x13e) returned 0x0 [0100.492] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="ocxfile", ulOptions=0x0, samDesired=0x1, phkResult=0xce538 | out: phkResult=0xce538*=0x13e) returned 0x0 [0100.492] RegOpenKeyExW (in: hKey=0x13e, lpSubKey="AutoRegister", ulOptions=0x0, samDesired=0x1, phkResult=0xce540 | out: phkResult=0xce540*=0x0) returned 0x2 [0100.492] RegCloseKey (hKey=0x13e) returned 0x0 [0100.492] SetErrorMode (uMode=0x1) returned 0x0 [0100.492] LoadLibraryExW (lpLibFileName="C:\\Users\\RDHJ0C~1\\Desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx", hFile=0x0, dwFlags=0x8) returned 0x1d20000 [0103.500] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xce3d0 | out: lpSystemTimeAsFileTime=0xce3d0*(dwLowDateTime=0x887d785, dwHighDateTime=0x1d88f9e)) [0103.500] GetCurrentProcessId () returned 0xce8 [0103.500] GetCurrentThreadId () returned 0x9d8 [0103.501] GetTickCount () returned 0x20c48db [0103.501] QueryPerformanceCounter (in: lpPerformanceCount=0xce3d8 | out: lpPerformanceCount=0xce3d8*=3446617222371) returned 1 [0103.501] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x2150000 [0103.502] HeapSetInformation (HeapHandle=0x2150000, HeapInformationClass=0x0, HeapInformation=0xce390, HeapInformationLength=0x4) returned 1 [0103.506] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x2c8) returned 0x2150830 [0103.507] GetCurrentThreadId () returned 0x9d8 [0103.507] GetCommandLineA () returned="\"C:\\Windows\\System32\\regsvr32.exe\" \"C:\\Users\\RDHJ0C~1\\Desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx\"" [0103.507] GetEnvironmentStringsW () returned 0x486620* [0103.507] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1254, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1254 [0103.507] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x0, Size=0x4e6) returned 0x2150b00 [0103.507] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1254, lpMultiByteStr=0x2150b00, cbMultiByte=1254, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1254 [0103.507] FreeEnvironmentStringsW (penv=0x486620) returned 1 [0103.507] GetStartupInfoA (in: lpStartupInfo=0xce300 | out: lpStartupInfo=0xce300*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\regsvr32.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0103.507] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0xb00) returned 0x2150ff0 [0103.507] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0103.507] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0103.507] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0103.507] SetHandleCount (uNumber=0x20) returned 0x20 [0103.507] GetLastError () returned 0xcb [0103.507] SetLastError (dwErrCode=0xcb) [0103.508] GetLastError () returned 0xcb [0103.508] SetLastError (dwErrCode=0xcb) [0103.508] GetLastError () returned 0xcb [0103.508] SetLastError (dwErrCode=0xcb) [0103.508] GetACP () returned 0x4e4 [0103.508] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x0, Size=0x220) returned 0x2153fc0 [0103.509] GetLastError () returned 0xcb [0103.509] SetLastError (dwErrCode=0xcb) [0103.509] IsValidCodePage (CodePage=0x4e4) returned 1 [0103.509] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xce290 | out: lpCPInfo=0xce290) returned 1 [0103.509] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xcdd30 | out: lpCPInfo=0xcdd30) returned 1 [0103.510] GetLastError () returned 0xcb [0103.510] SetLastError (dwErrCode=0xcb) [0103.510] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0xcdc30 | out: lpCharType=0xcdc30) returned 1 [0103.510] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcdd50, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0103.510] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcdd50, cbMultiByte=256, lpWideCharStr=0xcda30, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȠ\x0c") returned 256 [0103.510] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȠ\x0c", cchSrc=256, lpCharType=0xce050 | out: lpCharType=0xce050) returned 1 [0103.510] GetLastError () returned 0xcb [0103.510] SetLastError (dwErrCode=0xcb) [0103.510] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0103.510] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcdd50, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0103.510] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcdd50, cbMultiByte=256, lpWideCharStr=0xcda10, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0103.511] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0103.511] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0xcd800, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0103.511] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0xcde50, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x80", lpUsedDefaultChar=0x0) returned 256 [0103.511] GetLastError () returned 0xcb [0103.511] SetLastError (dwErrCode=0xcb) [0103.511] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcdd50, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0103.511] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xcdd50, cbMultiByte=256, lpWideCharStr=0xcda10, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ") returned 256 [0103.511] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0103.511] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȀ", cchSrc=256, lpDestStr=0xcd800, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0103.511] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0xcdf50, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0103.511] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x1dd9ca0, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\regsvr32.exe" (normalized: "c:\\windows\\system32\\regsvr32.exe")) returned 0x20 [0103.511] GetLastError () returned 0x0 [0103.511] SetLastError (dwErrCode=0x0) [0103.511] GetLastError () returned 0x0 [0103.511] SetLastError (dwErrCode=0x0) [0103.511] GetLastError () returned 0x0 [0103.511] SetLastError (dwErrCode=0x0) [0103.511] GetLastError () returned 0x0 [0103.511] SetLastError (dwErrCode=0x0) [0103.512] GetLastError () returned 0x0 [0103.512] SetLastError (dwErrCode=0x0) [0103.512] GetLastError () returned 0x0 [0103.512] SetLastError (dwErrCode=0x0) [0103.512] GetLastError () returned 0x0 [0103.512] SetLastError (dwErrCode=0x0) [0103.512] GetLastError () returned 0x0 [0103.512] SetLastError (dwErrCode=0x0) [0103.512] GetLastError () returned 0x0 [0103.512] SetLastError (dwErrCode=0x0) [0103.512] GetLastError () returned 0x0 [0103.512] SetLastError (dwErrCode=0x0) [0103.512] GetLastError () returned 0x0 [0103.512] SetLastError (dwErrCode=0x0) [0103.512] GetLastError () returned 0x0 [0103.513] SetLastError (dwErrCode=0x0) [0103.513] GetLastError () returned 0x0 [0103.513] SetLastError (dwErrCode=0x0) [0103.513] GetLastError () returned 0x0 [0103.513] SetLastError (dwErrCode=0x0) [0103.513] GetLastError () returned 0x0 [0103.513] SetLastError (dwErrCode=0x0) [0103.513] GetLastError () returned 0x0 [0103.513] SetLastError (dwErrCode=0x0) [0103.513] GetLastError () returned 0x0 [0103.513] SetLastError (dwErrCode=0x0) [0103.513] GetLastError () returned 0x0 [0103.513] SetLastError (dwErrCode=0x0) [0103.513] GetLastError () returned 0x0 [0103.513] SetLastError (dwErrCode=0x0) [0103.513] GetLastError () returned 0x0 [0103.513] SetLastError (dwErrCode=0x0) [0103.513] GetLastError () returned 0x0 [0103.513] SetLastError (dwErrCode=0x0) [0103.514] GetLastError () returned 0x0 [0103.514] SetLastError (dwErrCode=0x0) [0103.514] GetLastError () returned 0x0 [0103.514] SetLastError (dwErrCode=0x0) [0103.514] GetLastError () returned 0x0 [0103.514] SetLastError (dwErrCode=0x0) [0103.514] GetLastError () returned 0x0 [0103.514] SetLastError (dwErrCode=0x0) [0103.514] GetLastError () returned 0x0 [0103.514] SetLastError (dwErrCode=0x0) [0103.514] GetLastError () returned 0x0 [0103.514] SetLastError (dwErrCode=0x0) [0103.514] GetLastError () returned 0x0 [0103.514] SetLastError (dwErrCode=0x0) [0103.514] GetLastError () returned 0x0 [0103.514] SetLastError (dwErrCode=0x0) [0103.514] GetLastError () returned 0x0 [0103.514] SetLastError (dwErrCode=0x0) [0103.514] GetLastError () returned 0x0 [0103.514] SetLastError (dwErrCode=0x0) [0103.514] GetLastError () returned 0x0 [0103.514] SetLastError (dwErrCode=0x0) [0103.515] GetLastError () returned 0x0 [0103.515] SetLastError (dwErrCode=0x0) [0103.515] GetLastError () returned 0x0 [0103.515] SetLastError (dwErrCode=0x0) [0103.515] GetLastError () returned 0x0 [0103.515] SetLastError (dwErrCode=0x0) [0103.515] GetLastError () returned 0x0 [0103.515] SetLastError (dwErrCode=0x0) [0103.515] GetLastError () returned 0x0 [0103.515] SetLastError (dwErrCode=0x0) [0103.515] GetLastError () returned 0x0 [0103.515] SetLastError (dwErrCode=0x0) [0103.515] GetLastError () returned 0x0 [0103.515] SetLastError (dwErrCode=0x0) [0103.515] GetLastError () returned 0x0 [0103.515] SetLastError (dwErrCode=0x0) [0103.515] GetLastError () returned 0x0 [0103.516] SetLastError (dwErrCode=0x0) [0103.516] GetLastError () returned 0x0 [0103.516] SetLastError (dwErrCode=0x0) [0103.516] GetLastError () returned 0x0 [0103.516] SetLastError (dwErrCode=0x0) [0103.516] GetLastError () returned 0x0 [0103.516] SetLastError (dwErrCode=0x0) [0103.516] GetLastError () returned 0x0 [0103.516] SetLastError (dwErrCode=0x0) [0103.516] GetLastError () returned 0x0 [0103.516] SetLastError (dwErrCode=0x0) [0103.516] GetLastError () returned 0x0 [0103.516] SetLastError (dwErrCode=0x0) [0103.516] GetLastError () returned 0x0 [0103.516] SetLastError (dwErrCode=0x0) [0103.516] GetLastError () returned 0x0 [0103.516] SetLastError (dwErrCode=0x0) [0103.516] GetLastError () returned 0x0 [0103.516] SetLastError (dwErrCode=0x0) [0103.516] GetLastError () returned 0x0 [0103.516] SetLastError (dwErrCode=0x0) [0103.516] GetLastError () returned 0x0 [0103.517] SetLastError (dwErrCode=0x0) [0103.517] GetLastError () returned 0x0 [0103.517] SetLastError (dwErrCode=0x0) [0103.517] GetLastError () returned 0x0 [0103.517] SetLastError (dwErrCode=0x0) [0103.517] GetLastError () returned 0x0 [0103.517] SetLastError (dwErrCode=0x0) [0103.517] GetLastError () returned 0x0 [0103.517] SetLastError (dwErrCode=0x0) [0103.517] GetLastError () returned 0x0 [0103.517] SetLastError (dwErrCode=0x0) [0103.517] GetLastError () returned 0x0 [0103.517] SetLastError (dwErrCode=0x0) [0103.517] GetLastError () returned 0x0 [0103.517] SetLastError (dwErrCode=0x0) [0103.517] GetLastError () returned 0x0 [0103.517] SetLastError (dwErrCode=0x0) [0103.517] GetLastError () returned 0x0 [0103.517] SetLastError (dwErrCode=0x0) [0103.517] GetLastError () returned 0x0 [0103.517] SetLastError (dwErrCode=0x0) [0103.517] GetLastError () returned 0x0 [0103.517] SetLastError (dwErrCode=0x0) [0103.517] GetLastError () returned 0x0 [0103.518] SetLastError (dwErrCode=0x0) [0103.518] GetLastError () returned 0x0 [0103.518] SetLastError (dwErrCode=0x0) [0103.518] GetLastError () returned 0x0 [0103.518] SetLastError (dwErrCode=0x0) [0103.556] GetLastError () returned 0x0 [0103.556] SetLastError (dwErrCode=0x0) [0103.556] GetLastError () returned 0x0 [0103.556] SetLastError (dwErrCode=0x0) [0103.556] GetLastError () returned 0x0 [0103.556] SetLastError (dwErrCode=0x0) [0103.556] GetLastError () returned 0x0 [0103.556] SetLastError (dwErrCode=0x0) [0103.556] GetLastError () returned 0x0 [0103.557] SetLastError (dwErrCode=0x0) [0103.557] GetLastError () returned 0x0 [0103.557] SetLastError (dwErrCode=0x0) [0103.557] GetLastError () returned 0x0 [0103.557] SetLastError (dwErrCode=0x0) [0103.557] GetLastError () returned 0x0 [0103.557] SetLastError (dwErrCode=0x0) [0103.557] GetLastError () returned 0x0 [0103.557] SetLastError (dwErrCode=0x0) [0103.557] GetLastError () returned 0x0 [0103.557] SetLastError (dwErrCode=0x0) [0103.557] GetLastError () returned 0x0 [0103.557] SetLastError (dwErrCode=0x0) [0103.557] GetLastError () returned 0x0 [0103.557] SetLastError (dwErrCode=0x0) [0103.557] GetLastError () returned 0x0 [0103.557] SetLastError (dwErrCode=0x0) [0103.557] GetLastError () returned 0x0 [0103.557] SetLastError (dwErrCode=0x0) [0103.557] GetLastError () returned 0x0 [0103.557] SetLastError (dwErrCode=0x0) [0103.557] GetLastError () returned 0x0 [0103.558] SetLastError (dwErrCode=0x0) [0103.558] GetLastError () returned 0x0 [0103.558] SetLastError (dwErrCode=0x0) [0103.558] GetLastError () returned 0x0 [0103.558] SetLastError (dwErrCode=0x0) [0103.558] GetLastError () returned 0x0 [0103.558] SetLastError (dwErrCode=0x0) [0103.558] GetLastError () returned 0x0 [0103.558] SetLastError (dwErrCode=0x0) [0103.558] GetLastError () returned 0x0 [0103.558] SetLastError (dwErrCode=0x0) [0103.558] GetLastError () returned 0x0 [0103.558] SetLastError (dwErrCode=0x0) [0103.558] GetLastError () returned 0x0 [0103.558] SetLastError (dwErrCode=0x0) [0103.558] GetLastError () returned 0x0 [0103.558] SetLastError (dwErrCode=0x0) [0103.558] GetLastError () returned 0x0 [0103.558] SetLastError (dwErrCode=0x0) [0103.558] GetLastError () returned 0x0 [0103.558] SetLastError (dwErrCode=0x0) [0103.558] GetLastError () returned 0x0 [0103.559] SetLastError (dwErrCode=0x0) [0103.559] GetLastError () returned 0x0 [0103.559] SetLastError (dwErrCode=0x0) [0103.559] GetLastError () returned 0x0 [0103.559] SetLastError (dwErrCode=0x0) [0103.559] GetLastError () returned 0x0 [0103.559] SetLastError (dwErrCode=0x0) [0103.559] GetLastError () returned 0x0 [0103.559] SetLastError (dwErrCode=0x0) [0103.559] GetLastError () returned 0x0 [0103.559] SetLastError (dwErrCode=0x0) [0103.559] GetLastError () returned 0x0 [0103.559] SetLastError (dwErrCode=0x0) [0103.559] GetLastError () returned 0x0 [0103.559] SetLastError (dwErrCode=0x0) [0103.559] GetLastError () returned 0x0 [0103.559] SetLastError (dwErrCode=0x0) [0103.559] GetLastError () returned 0x0 [0103.559] SetLastError (dwErrCode=0x0) [0103.559] GetLastError () returned 0x0 [0103.559] SetLastError (dwErrCode=0x0) [0103.559] GetLastError () returned 0x0 [0103.560] SetLastError (dwErrCode=0x0) [0103.560] GetLastError () returned 0x0 [0103.560] SetLastError (dwErrCode=0x0) [0103.560] GetLastError () returned 0x0 [0103.560] SetLastError (dwErrCode=0x0) [0103.560] GetLastError () returned 0x0 [0103.560] SetLastError (dwErrCode=0x0) [0103.560] GetLastError () returned 0x0 [0103.560] SetLastError (dwErrCode=0x0) [0103.560] GetLastError () returned 0x0 [0103.560] SetLastError (dwErrCode=0x0) [0103.560] GetLastError () returned 0x0 [0103.560] SetLastError (dwErrCode=0x0) [0103.560] GetLastError () returned 0x0 [0103.560] SetLastError (dwErrCode=0x0) [0103.560] GetLastError () returned 0x0 [0103.560] SetLastError (dwErrCode=0x0) [0103.560] GetLastError () returned 0x0 [0103.560] SetLastError (dwErrCode=0x0) [0103.560] GetLastError () returned 0x0 [0103.560] SetLastError (dwErrCode=0x0) [0103.560] GetLastError () returned 0x0 [0103.561] SetLastError (dwErrCode=0x0) [0103.561] GetLastError () returned 0x0 [0103.561] SetLastError (dwErrCode=0x0) [0103.561] GetLastError () returned 0x0 [0103.561] SetLastError (dwErrCode=0x0) [0103.561] GetLastError () returned 0x0 [0103.561] SetLastError (dwErrCode=0x0) [0103.561] GetLastError () returned 0x0 [0103.561] SetLastError (dwErrCode=0x0) [0103.561] GetLastError () returned 0x0 [0103.561] SetLastError (dwErrCode=0x0) [0103.561] GetLastError () returned 0x0 [0103.561] SetLastError (dwErrCode=0x0) [0103.561] GetLastError () returned 0x0 [0103.561] SetLastError (dwErrCode=0x0) [0103.561] GetLastError () returned 0x0 [0103.561] SetLastError (dwErrCode=0x0) [0103.561] GetLastError () returned 0x0 [0103.561] SetLastError (dwErrCode=0x0) [0103.561] GetLastError () returned 0x0 [0103.561] SetLastError (dwErrCode=0x0) [0103.561] GetLastError () returned 0x0 [0103.561] SetLastError (dwErrCode=0x0) [0103.561] GetLastError () returned 0x0 [0103.562] SetLastError (dwErrCode=0x0) [0103.562] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x0, Size=0x9c) returned 0x2150720 [0103.562] GetLastError () returned 0x0 [0103.562] SetLastError (dwErrCode=0x0) [0103.562] GetLastError () returned 0x0 [0103.562] SetLastError (dwErrCode=0x0) [0103.562] GetLastError () returned 0x0 [0103.562] SetLastError (dwErrCode=0x0) [0103.562] GetLastError () returned 0x0 [0103.562] SetLastError (dwErrCode=0x0) [0103.562] GetLastError () returned 0x0 [0103.562] SetLastError (dwErrCode=0x0) [0103.562] GetLastError () returned 0x0 [0103.562] SetLastError (dwErrCode=0x0) [0103.562] GetLastError () returned 0x0 [0103.562] SetLastError (dwErrCode=0x0) [0103.562] GetLastError () returned 0x0 [0103.562] SetLastError (dwErrCode=0x0) [0103.562] GetLastError () returned 0x0 [0103.562] SetLastError (dwErrCode=0x0) [0103.562] GetLastError () returned 0x0 [0103.562] SetLastError (dwErrCode=0x0) [0103.562] GetLastError () returned 0x0 [0103.563] SetLastError (dwErrCode=0x0) [0103.563] GetLastError () returned 0x0 [0103.563] SetLastError (dwErrCode=0x0) [0103.563] GetLastError () returned 0x0 [0103.563] SetLastError (dwErrCode=0x0) [0103.563] GetLastError () returned 0x0 [0103.563] SetLastError (dwErrCode=0x0) [0103.563] GetLastError () returned 0x0 [0103.563] SetLastError (dwErrCode=0x0) [0103.563] GetLastError () returned 0x0 [0103.563] SetLastError (dwErrCode=0x0) [0103.563] GetLastError () returned 0x0 [0103.564] SetLastError (dwErrCode=0x0) [0103.564] GetLastError () returned 0x0 [0103.564] SetLastError (dwErrCode=0x0) [0103.564] GetLastError () returned 0x0 [0103.564] SetLastError (dwErrCode=0x0) [0103.564] GetLastError () returned 0x0 [0103.564] SetLastError (dwErrCode=0x0) [0103.564] GetLastError () returned 0x0 [0103.564] SetLastError (dwErrCode=0x0) [0103.564] GetLastError () returned 0x0 [0103.564] SetLastError (dwErrCode=0x0) [0103.564] GetLastError () returned 0x0 [0103.564] SetLastError (dwErrCode=0x0) [0103.564] GetLastError () returned 0x0 [0103.564] SetLastError (dwErrCode=0x0) [0103.564] GetLastError () returned 0x0 [0103.564] SetLastError (dwErrCode=0x0) [0103.564] GetLastError () returned 0x0 [0103.564] SetLastError (dwErrCode=0x0) [0103.565] GetLastError () returned 0x0 [0103.565] SetLastError (dwErrCode=0x0) [0103.565] GetLastError () returned 0x0 [0103.565] SetLastError (dwErrCode=0x0) [0103.565] GetLastError () returned 0x0 [0103.565] SetLastError (dwErrCode=0x0) [0103.565] GetLastError () returned 0x0 [0103.565] SetLastError (dwErrCode=0x0) [0103.565] GetLastError () returned 0x0 [0103.565] SetLastError (dwErrCode=0x0) [0103.565] GetLastError () returned 0x0 [0103.565] SetLastError (dwErrCode=0x0) [0103.565] GetLastError () returned 0x0 [0103.565] SetLastError (dwErrCode=0x0) [0103.565] GetLastError () returned 0x0 [0103.565] SetLastError (dwErrCode=0x0) [0103.565] GetLastError () returned 0x0 [0103.565] SetLastError (dwErrCode=0x0) [0103.565] GetLastError () returned 0x0 [0103.565] SetLastError (dwErrCode=0x0) [0103.565] GetLastError () returned 0x0 [0103.566] SetLastError (dwErrCode=0x0) [0103.566] GetLastError () returned 0x0 [0103.566] SetLastError (dwErrCode=0x0) [0103.566] GetLastError () returned 0x0 [0103.566] SetLastError (dwErrCode=0x0) [0103.566] GetLastError () returned 0x0 [0103.566] SetLastError (dwErrCode=0x0) [0103.566] GetLastError () returned 0x0 [0103.566] SetLastError (dwErrCode=0x0) [0103.566] GetLastError () returned 0x0 [0103.566] SetLastError (dwErrCode=0x0) [0103.566] GetLastError () returned 0x0 [0103.566] SetLastError (dwErrCode=0x0) [0103.566] GetLastError () returned 0x0 [0103.566] SetLastError (dwErrCode=0x0) [0103.566] GetLastError () returned 0x0 [0103.566] SetLastError (dwErrCode=0x0) [0103.566] GetLastError () returned 0x0 [0103.566] SetLastError (dwErrCode=0x0) [0103.566] GetLastError () returned 0x0 [0103.566] SetLastError (dwErrCode=0x0) [0103.566] GetLastError () returned 0x0 [0103.566] SetLastError (dwErrCode=0x0) [0103.566] GetLastError () returned 0x0 [0103.567] SetLastError (dwErrCode=0x0) [0103.567] GetLastError () returned 0x0 [0103.567] SetLastError (dwErrCode=0x0) [0103.567] GetLastError () returned 0x0 [0103.567] SetLastError (dwErrCode=0x0) [0103.567] GetLastError () returned 0x0 [0103.567] SetLastError (dwErrCode=0x0) [0103.567] GetLastError () returned 0x0 [0103.567] SetLastError (dwErrCode=0x0) [0103.567] GetLastError () returned 0x0 [0103.567] SetLastError (dwErrCode=0x0) [0103.567] GetLastError () returned 0x0 [0103.567] SetLastError (dwErrCode=0x0) [0103.567] GetLastError () returned 0x0 [0103.567] SetLastError (dwErrCode=0x0) [0103.567] GetLastError () returned 0x0 [0103.567] SetLastError (dwErrCode=0x0) [0103.567] GetLastError () returned 0x0 [0103.567] SetLastError (dwErrCode=0x0) [0103.567] GetLastError () returned 0x0 [0103.567] SetLastError (dwErrCode=0x0) [0103.567] GetLastError () returned 0x0 [0103.567] SetLastError (dwErrCode=0x0) [0103.567] GetLastError () returned 0x0 [0103.568] SetLastError (dwErrCode=0x0) [0103.568] GetLastError () returned 0x0 [0103.568] SetLastError (dwErrCode=0x0) [0103.568] GetLastError () returned 0x0 [0103.568] SetLastError (dwErrCode=0x0) [0103.568] GetLastError () returned 0x0 [0103.568] SetLastError (dwErrCode=0x0) [0103.568] GetLastError () returned 0x0 [0103.568] SetLastError (dwErrCode=0x0) [0103.568] GetLastError () returned 0x0 [0103.568] SetLastError (dwErrCode=0x0) [0103.568] GetLastError () returned 0x0 [0103.568] SetLastError (dwErrCode=0x0) [0103.568] GetLastError () returned 0x0 [0103.568] SetLastError (dwErrCode=0x0) [0103.568] GetLastError () returned 0x0 [0103.568] SetLastError (dwErrCode=0x0) [0103.568] GetLastError () returned 0x0 [0103.568] SetLastError (dwErrCode=0x0) [0103.568] GetLastError () returned 0x0 [0103.568] SetLastError (dwErrCode=0x0) [0103.568] GetLastError () returned 0x0 [0103.568] SetLastError (dwErrCode=0x0) [0103.568] GetLastError () returned 0x0 [0103.568] SetLastError (dwErrCode=0x0) [0103.569] GetLastError () returned 0x0 [0103.569] SetLastError (dwErrCode=0x0) [0103.569] GetLastError () returned 0x0 [0103.569] SetLastError (dwErrCode=0x0) [0103.569] GetLastError () returned 0x0 [0103.569] SetLastError (dwErrCode=0x0) [0103.569] GetLastError () returned 0x0 [0103.569] SetLastError (dwErrCode=0x0) [0103.569] GetLastError () returned 0x0 [0103.569] SetLastError (dwErrCode=0x0) [0103.569] GetLastError () returned 0x0 [0103.569] SetLastError (dwErrCode=0x0) [0103.569] GetLastError () returned 0x0 [0103.569] SetLastError (dwErrCode=0x0) [0103.569] GetLastError () returned 0x0 [0103.569] SetLastError (dwErrCode=0x0) [0103.569] GetLastError () returned 0x0 [0103.569] SetLastError (dwErrCode=0x0) [0103.569] GetLastError () returned 0x0 [0103.570] SetLastError (dwErrCode=0x0) [0103.570] GetLastError () returned 0x0 [0103.570] SetLastError (dwErrCode=0x0) [0103.570] GetLastError () returned 0x0 [0103.570] SetLastError (dwErrCode=0x0) [0103.570] GetLastError () returned 0x0 [0103.570] SetLastError (dwErrCode=0x0) [0103.570] GetLastError () returned 0x0 [0103.570] SetLastError (dwErrCode=0x0) [0103.570] GetLastError () returned 0x0 [0103.570] SetLastError (dwErrCode=0x0) [0103.570] GetLastError () returned 0x0 [0103.570] SetLastError (dwErrCode=0x0) [0103.570] GetLastError () returned 0x0 [0103.570] SetLastError (dwErrCode=0x0) [0103.570] GetLastError () returned 0x0 [0103.570] SetLastError (dwErrCode=0x0) [0103.570] GetLastError () returned 0x0 [0103.570] SetLastError (dwErrCode=0x0) [0103.570] GetLastError () returned 0x0 [0103.570] SetLastError (dwErrCode=0x0) [0103.570] GetLastError () returned 0x0 [0103.570] SetLastError (dwErrCode=0x0) [0103.571] GetLastError () returned 0x0 [0103.571] SetLastError (dwErrCode=0x0) [0103.571] GetLastError () returned 0x0 [0103.571] SetLastError (dwErrCode=0x0) [0103.571] GetLastError () returned 0x0 [0103.571] SetLastError (dwErrCode=0x0) [0103.571] GetLastError () returned 0x0 [0103.571] SetLastError (dwErrCode=0x0) [0103.571] GetLastError () returned 0x0 [0103.571] SetLastError (dwErrCode=0x0) [0103.571] GetLastError () returned 0x0 [0103.571] SetLastError (dwErrCode=0x0) [0103.571] GetLastError () returned 0x0 [0103.571] SetLastError (dwErrCode=0x0) [0103.571] GetLastError () returned 0x0 [0103.571] SetLastError (dwErrCode=0x0) [0103.571] GetLastError () returned 0x0 [0103.571] SetLastError (dwErrCode=0x0) [0103.571] GetLastError () returned 0x0 [0103.571] SetLastError (dwErrCode=0x0) [0103.571] GetLastError () returned 0x0 [0103.571] SetLastError (dwErrCode=0x0) [0103.571] GetLastError () returned 0x0 [0103.571] SetLastError (dwErrCode=0x0) [0103.571] GetLastError () returned 0x0 [0103.572] SetLastError (dwErrCode=0x0) [0103.572] GetLastError () returned 0x0 [0103.572] SetLastError (dwErrCode=0x0) [0103.572] GetLastError () returned 0x0 [0103.572] SetLastError (dwErrCode=0x0) [0103.572] GetLastError () returned 0x0 [0103.572] SetLastError (dwErrCode=0x0) [0103.572] GetLastError () returned 0x0 [0103.572] SetLastError (dwErrCode=0x0) [0103.572] GetLastError () returned 0x0 [0103.572] SetLastError (dwErrCode=0x0) [0103.572] GetLastError () returned 0x0 [0103.572] SetLastError (dwErrCode=0x0) [0103.572] GetLastError () returned 0x0 [0103.572] SetLastError (dwErrCode=0x0) [0103.572] GetLastError () returned 0x0 [0103.572] SetLastError (dwErrCode=0x0) [0103.572] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x118) returned 0x21541f0 [0103.572] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x1f) returned 0x21507d0 [0103.572] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x2e) returned 0x2154310 [0103.572] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x31) returned 0x2154350 [0103.572] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x3c) returned 0x2154390 [0103.572] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x31) returned 0x21543e0 [0103.572] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x14) returned 0x2150800 [0103.572] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x24) returned 0x2154420 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0xd) returned 0x2154450 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x1d) returned 0x2154470 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x31) returned 0x21544a0 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x15) returned 0x21544e0 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x17) returned 0x2154500 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0xe) returned 0x2154520 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x69) returned 0x2154540 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x3e) returned 0x21545c0 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x1d) returned 0x2154610 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x48) returned 0x2154640 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x12) returned 0x2154690 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x18) returned 0x21546b0 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x1b) returned 0x21546d0 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x1e) returned 0x2154700 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x29) returned 0x2154730 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x1e) returned 0x2154770 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x6b) returned 0x21547a0 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x17) returned 0x2154820 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0xf) returned 0x2154840 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x16) returned 0x2154860 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x2a) returned 0x2154880 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x29) returned 0x21548c0 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x12) returned 0x2154900 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x21) returned 0x2154920 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x16) returned 0x2154950 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x22) returned 0x2154970 [0103.573] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x12) returned 0x21549a0 [0103.586] HeapFree (in: hHeap=0x2150000, dwFlags=0x0, lpMem=0x2150b00 | out: hHeap=0x2150000) returned 1 [0103.588] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x100) returned 0x2150b00 [0103.588] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x1000) returned 0x21549c0 [0103.588] RtlSizeHeap (HeapHandle=0x2150000, Flags=0x0, MemoryPointer=0x2150b00) returned 0x100 [0103.589] RtlSizeHeap (HeapHandle=0x2150000, Flags=0x0, MemoryPointer=0x2150b00) returned 0x100 [0103.589] RtlSizeHeap (HeapHandle=0x2150000, Flags=0x0, MemoryPointer=0x2150b00) returned 0x100 [0103.590] RtlSizeHeap (HeapHandle=0x2150000, Flags=0x0, MemoryPointer=0x2150b00) returned 0x100 [0103.603] RtlSizeHeap (HeapHandle=0x2150000, Flags=0x0, MemoryPointer=0x2150b00) returned 0x100 [0103.608] GlobalLock (hMem=0x1f70008) returned 0x486690 [0103.608] LocalAlloc (uFlags=0x40, uBytes=0x180) returned 0x4868b0 [0103.609] LocalAlloc (uFlags=0x40, uBytes=0x20) returned 0x474c40 [0103.609] LocalAlloc (uFlags=0x0, uBytes=0x10) returned 0x472bd0 [0103.609] LocalAlloc (uFlags=0x40, uBytes=0xe8) returned 0x486a40 [0103.611] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x0, Size=0x1019) returned 0x21559d0 [0103.611] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x0, Size=0x18) returned 0x2150c10 [0103.611] LocalAlloc (uFlags=0x40, uBytes=0x310) returned 0x486b30 [0103.611] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x0, Size=0x25) returned 0x2150c30 [0103.611] LocalAlloc (uFlags=0x40, uBytes=0xc8) returned 0x486e50 [0103.611] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x0, Size=0x25) returned 0x2150c60 [0103.611] LocalAlloc (uFlags=0x40, uBytes=0x28) returned 0x474df0 [0103.611] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x0, Size=0x24) returned 0x2150c90 [0103.611] GetCursorPos (in: lpPoint=0x486938 | out: lpPoint=0x486938*(x=801, y=28)) returned 1 [0103.612] LocalAlloc (uFlags=0x40, uBytes=0xa8) returned 0x486f20 [0103.612] LocalReAlloc (hMem=0x472bd0, uBytes=0x18, uFlags=0x2) returned 0x466c90 [0103.612] GetCurrentThread () returned 0xfffffffffffffffe [0103.612] GetCurrentThreadId () returned 0x9d8 [0103.613] RtlSizeHeap (HeapHandle=0x2150000, Flags=0x0, MemoryPointer=0x2150b00) returned 0x100 [0103.613] RtlSizeHeap (HeapHandle=0x2150000, Flags=0x0, MemoryPointer=0x2150b00) returned 0x100 [0103.614] RtlSizeHeap (HeapHandle=0x2150000, Flags=0x0, MemoryPointer=0x2150b00) returned 0x100 [0103.614] RtlSizeHeap (HeapHandle=0x2150000, Flags=0x0, MemoryPointer=0x2150b00) returned 0x100 [0103.615] RtlSizeHeap (HeapHandle=0x2150000, Flags=0x0, MemoryPointer=0x2150b00) returned 0x100 [0103.615] RtlSizeHeap (HeapHandle=0x2150000, Flags=0x0, MemoryPointer=0x2150b00) returned 0x100 [0103.616] RtlSizeHeap (HeapHandle=0x2150000, Flags=0x0, MemoryPointer=0x2150b00) returned 0x100 [0103.616] RegisterClipboardFormatA (lpszFormat="commctrl_DragListMsg") returned 0xc1db [0103.617] RtlSizeHeap (HeapHandle=0x2150000, Flags=0x0, MemoryPointer=0x2150b00) returned 0x100 [0103.617] RtlSizeHeap (HeapHandle=0x2150000, Flags=0x0, MemoryPointer=0x2150b00) returned 0x100 [0103.618] RtlSizeHeap (HeapHandle=0x2150000, Flags=0x0, MemoryPointer=0x2150b00) returned 0x100 [0103.618] RtlSizeHeap (HeapHandle=0x2150000, Flags=0x0, MemoryPointer=0x2150b00) returned 0x100 [0103.619] GetSystemMetrics (nIndex=11) returned 32 [0103.619] GetSystemMetrics (nIndex=12) returned 32 [0103.619] GetSystemMetrics (nIndex=2) returned 17 [0103.619] GetSystemMetrics (nIndex=3) returned 17 [0103.619] GetDC (hWnd=0x0) returned 0xa0100d0 [0103.619] GetDeviceCaps (hdc=0xa0100d0, index=88) returned 96 [0103.619] GetDeviceCaps (hdc=0xa0100d0, index=90) returned 96 [0103.619] ReleaseDC (hWnd=0x0, hDC=0xa0100d0) returned 1 [0103.619] GetSysColor (nIndex=15) returned 0xf0f0f0 [0103.619] GetSysColor (nIndex=16) returned 0xa0a0a0 [0103.619] GetSysColor (nIndex=20) returned 0xffffff [0103.619] GetSysColor (nIndex=18) returned 0x0 [0103.619] GetSysColor (nIndex=6) returned 0x646464 [0103.619] GetSysColorBrush (nIndex=15) returned 0x1100074 [0103.620] GetSysColorBrush (nIndex=6) returned 0x110007c [0103.620] LoadCursorA (hInstance=0x0, lpCursorName=0x7f02) returned 0x10007 [0103.620] LoadCursorA (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0103.621] RtlSizeHeap (HeapHandle=0x2150000, Flags=0x0, MemoryPointer=0x2150b00) returned 0x100 [0103.621] GetOEMCP () returned 0x1b5 [0103.621] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xce300 | out: lpCPInfo=0xce300) returned 1 [0103.623] CoInitialize (pvReserved=0x0) returned 0x1 [0103.623] CoTaskMemAlloc (cb=0x5f5e17e) returned 0x2168040 [0107.194] VirtualAlloc (lpAddress=0x0, dwSize=0xb9d, flAllocationType=0x3000, flProtect=0x40) returned 0x1e30000 [0107.195] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="kernel32.dll", BaseAddress=0xcd600 | out: BaseAddress=0xcd600*=0x7ff927b50000) returned 0x0 [0107.196] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="VirtualAlloc", Ordinal=0x0, ProcedureAddress=0xcd6d0 | out: ProcedureAddress=0xcd6d0*=0x7ff927b728c0) returned 0x0 [0107.197] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="VirtualProtect", Ordinal=0x0, ProcedureAddress=0xcd700 | out: ProcedureAddress=0xcd700*=0x7ff927b73a90) returned 0x0 [0107.197] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="FlushInstructionCache", Ordinal=0x0, ProcedureAddress=0xcd708 | out: ProcedureAddress=0xcd708*=0x7ff927b70c70) returned 0x0 [0107.197] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="GetNativeSystemInfo", Ordinal=0x0, ProcedureAddress=0xcd748 | out: ProcedureAddress=0xcd748*=0x7ff927b78a00) returned 0x0 [0107.197] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="Sleep", Ordinal=0x0, ProcedureAddress=0xcd6f0 | out: ProcedureAddress=0xcd6f0*=0x7ff927b6b7b0) returned 0x0 [0107.198] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="RtlAddFunctionTable", Ordinal=0x0, ProcedureAddress=0xcd750 | out: ProcedureAddress=0xcd750*=0x7ff927b76a10) returned 0x0 [0107.198] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="LoadLibraryA", Ordinal=0x0, ProcedureAddress=0xcd6f8 | out: ProcedureAddress=0xcd6f8*=0x7ff927b774d0) returned 0x0 [0107.198] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="FindResourceW", Ordinal=0x0, ProcedureAddress=0xcd720 | out: ProcedureAddress=0xcd720*=0x7ff927b769f0) returned 0x0 [0107.198] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="LoadResource", Ordinal=0x0, ProcedureAddress=0xcd728 | out: ProcedureAddress=0xcd728*=0x7ff927b73e60) returned 0x0 [0107.198] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="SizeofResource", Ordinal=0x0, ProcedureAddress=0xcd730 | out: ProcedureAddress=0xcd730*=0x7ff927b74460) returned 0x0 [0107.198] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="LockResource", Ordinal=0x0, ProcedureAddress=0xcd738 | out: ProcedureAddress=0xcd738*=0x7ff927b74450) returned 0x0 [0107.205] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="FreeResource", Ordinal=0x0, ProcedureAddress=0xcd740 | out: ProcedureAddress=0xcd740*=0x7ff927b78ee0) returned 0x0 [0107.205] FindResourceW (hModule=0x1d20000, lpName=0x6dde, lpType=0x17) returned 0x1de6c80 [0107.205] LoadResource (hModule=0x1d20000, hResInfo=0x1de6c80) returned 0x1defff8 [0107.205] SizeofResource (hModule=0x1d20000, hResInfo=0x1de6c80) returned 0x2d600 [0107.205] LockResource (hResData=0x1defff8) returned 0x1defff8 [0107.205] VirtualAlloc (lpAddress=0x0, dwSize=0x2d600, flAllocationType=0x3000, flProtect=0x40) returned 0x1e40000 [0107.272] FreeResource (hResData=0x1defff8) returned 0 [0107.272] GetNativeSystemInfo (in: lpSystemInfo=0xcd760 | out: lpSystemInfo=0xcd760*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0107.272] VirtualAlloc (lpAddress=0x180000000, dwSize=0x30000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0107.273] VirtualAlloc (lpAddress=0x0, dwSize=0x30000, flAllocationType=0x3000, flProtect=0x4) returned 0x1e70000 [0107.278] VirtualProtect (in: lpAddress=0x1e71000, dwSize=0x2b600, flNewProtect=0x20, lpflOldProtect=0xcd7e8 | out: lpflOldProtect=0xcd7e8*=0x4) returned 1 [0107.297] VirtualProtect (in: lpAddress=0x1e9d000, dwSize=0xc00, flNewProtect=0x2, lpflOldProtect=0xcd7e8 | out: lpflOldProtect=0xcd7e8*=0x4) returned 1 [0107.297] VirtualProtect (in: lpAddress=0x1e9f000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0xcd7e8 | out: lpflOldProtect=0xcd7e8*=0x4) returned 1 [0107.297] FlushInstructionCache (hProcess=0xffffffffffffffff, lpBaseAddress=0x0, dwSize=0x0) returned 1 [0107.297] RtlAddFunctionTable (FunctionTable=0x1e9f000, EntryCount=0x13a, BaseAddress=0x1e70000, TargetGp=0x7ff927b76a10) returned 1 [0107.303] SetErrorMode (uMode=0x0) returned 0x1 [0107.304] GetProcAddress (hModule=0x1d20000, lpProcName="DllRegisterServer") returned 0x1d291a0 [0107.322] GetProcessHeap () returned 0x460000 [0107.327] GetModuleHandleA (lpModuleName="NTDLL") returned 0x7ff92a680000 [0107.327] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x68) returned 0x475730 [0107.327] GetProcessHeap () returned 0x460000 [0107.327] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x20) returned 0x474d90 [0107.329] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x7ff928830000 [0107.337] GetProcessHeap () returned 0x460000 [0107.338] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x474d90 | out: hHeap=0x460000) returned 1 [0107.339] GetProcessHeap () returned 0x460000 [0107.339] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x18) returned 0x472cf0 [0107.339] LoadLibraryW (lpLibFileName="bcrypt.dll") returned 0x7ff926b30000 [0107.339] GetProcessHeap () returned 0x460000 [0107.339] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x472cf0 | out: hHeap=0x460000) returned 1 [0107.339] GetProcessHeap () returned 0x460000 [0107.339] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x18) returned 0x472c70 [0107.339] LoadLibraryW (lpLibFileName="crypt32.dll") returned 0x7ff926fb0000 [0107.357] GetProcessHeap () returned 0x460000 [0107.357] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x472c70 | out: hHeap=0x460000) returned 1 [0107.357] GetProcessHeap () returned 0x460000 [0107.357] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x18) returned 0x472c10 [0107.357] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x7ff9288e0000 [0107.357] GetProcessHeap () returned 0x460000 [0107.357] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x472c10 | out: hHeap=0x460000) returned 1 [0107.359] GetProcessHeap () returned 0x460000 [0107.359] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x18) returned 0x472cf0 [0107.359] LoadLibraryW (lpLibFileName="shlwapi.dll") returned 0x7ff927ed0000 [0107.359] GetProcessHeap () returned 0x460000 [0107.359] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x472cf0 | out: hHeap=0x460000) returned 1 [0107.360] GetProcessHeap () returned 0x460000 [0107.360] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x18) returned 0x472a70 [0107.360] LoadLibraryW (lpLibFileName="urlmon.dll") returned 0x7ff917680000 [0107.400] GetProcessHeap () returned 0x460000 [0107.400] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x472a70 | out: hHeap=0x460000) returned 1 [0107.400] GetProcessHeap () returned 0x460000 [0107.400] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x18) returned 0x472a30 [0107.400] LoadLibraryW (lpLibFileName="userenv.dll") returned 0x7ff926400000 [0107.407] GetProcessHeap () returned 0x460000 [0107.407] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x472a30 | out: hHeap=0x460000) returned 1 [0107.407] GetProcessHeap () returned 0x460000 [0107.407] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x18) returned 0x472b70 [0107.407] LoadLibraryW (lpLibFileName="wininet.dll") returned 0x7ff917eb0000 [0108.142] GetProcessHeap () returned 0x460000 [0108.142] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x472b70 | out: hHeap=0x460000) returned 1 [0108.143] GetProcessHeap () returned 0x460000 [0108.143] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x20) returned 0x475210 [0108.143] LoadLibraryW (lpLibFileName="wtsapi32.dll") returned 0x7ff925320000 [0108.359] GetProcessHeap () returned 0x460000 [0108.359] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x475210 | out: hHeap=0x460000) returned 1 [0108.359] GetProcessHeap () returned 0x460000 [0108.359] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x40) returned 0x476d20 [0108.359] GetProcessHeap () returned 0x460000 [0108.359] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x4000) returned 0x486fd0 [0108.360] GetProcessHeap () returned 0x460000 [0108.360] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x8) returned 0x4757a0 [0108.360] BCryptOpenAlgorithmProvider (in: phAlgorithm=0xce588, pszAlgId="RNG", pszImplementation=0x0, dwFlags=0x0 | out: phAlgorithm=0xce588) returned 0x0 [0108.394] GetProcessHeap () returned 0x460000 [0108.394] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x4757a0 | out: hHeap=0x460000) returned 1 [0108.395] BCryptGenRandom (in: hAlgorithm=0x47fc70, pbBuffer=0x486fd0, cbBuffer=0x4000, dwFlags=0x0 | out: pbBuffer=0x486fd0) returned 0x0 [0108.397] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x47fc70, dwFlags=0x0 | out: hAlgorithm=0x47fc70) returned 0x0 [0108.398] GetProcessHeap () returned 0x460000 [0108.398] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x230) returned 0x4801b0 [0108.402] GetModuleFileNameW (in: hModule=0x1d20000, lpFilename=0x4801d8, nSize=0x104 | out: lpFilename="C:\\Users\\RDHJ0C~1\\Desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx")) returned 0x62 [0108.404] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x48b3f0 [0108.421] CloseServiceHandle (hSCObject=0x48b3f0) returned 1 [0108.424] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x204 [0108.455] Process32FirstW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0108.457] GetCurrentProcessId () returned 0xce8 [0108.457] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0108.458] GetCurrentProcessId () returned 0xce8 [0108.458] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0108.459] GetCurrentProcessId () returned 0xce8 [0108.459] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0108.460] GetCurrentProcessId () returned 0xce8 [0108.460] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0108.461] GetCurrentProcessId () returned 0xce8 [0108.461] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1bc, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0108.462] GetCurrentProcessId () returned 0xce8 [0108.462] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x200, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1bc, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0108.462] GetCurrentProcessId () returned 0xce8 [0108.462] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c4, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0108.463] GetCurrentProcessId () returned 0xce8 [0108.463] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1c4, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0108.464] GetCurrentProcessId () returned 0xce8 [0108.464] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x278, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2b, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.465] GetCurrentProcessId () returned 0xce8 [0108.465] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.466] GetCurrentProcessId () returned 0xce8 [0108.466] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x30c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x200, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0108.466] GetCurrentProcessId () returned 0xce8 [0108.466] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x60, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.467] GetCurrentProcessId () returned 0xce8 [0108.467] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.468] GetCurrentProcessId () returned 0xce8 [0108.468] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.469] GetCurrentProcessId () returned 0xce8 [0108.469] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.470] GetCurrentProcessId () returned 0xce8 [0108.470] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.475] GetCurrentProcessId () returned 0xce8 [0108.475] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.476] GetCurrentProcessId () returned 0xce8 [0108.476] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x470, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.477] GetCurrentProcessId () returned 0xce8 [0108.477] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0108.478] GetCurrentProcessId () returned 0xce8 [0108.478] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0108.479] GetCurrentProcessId () returned 0xce8 [0108.479] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0108.480] GetCurrentProcessId () returned 0xce8 [0108.480] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x6d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0108.481] GetCurrentProcessId () returned 0xce8 [0108.481] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.482] GetCurrentProcessId () returned 0xce8 [0108.482] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x804, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0108.483] GetCurrentProcessId () returned 0xce8 [0108.483] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0108.484] GetCurrentProcessId () returned 0xce8 [0108.484] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0108.485] GetCurrentProcessId () returned 0xce8 [0108.485] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xab4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="SkypeHost.exe")) returned 1 [0108.486] GetCurrentProcessId () returned 0xce8 [0108.486] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0108.487] GetCurrentProcessId () returned 0xce8 [0108.487] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0108.489] GetCurrentProcessId () returned 0xce8 [0108.489] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xef0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.501] GetCurrentProcessId () returned 0xce8 [0108.501] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xda0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0108.502] GetCurrentProcessId () returned 0xce8 [0108.502] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xec8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x368, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0108.503] GetCurrentProcessId () returned 0xce8 [0108.504] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xcec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0108.505] GetCurrentProcessId () returned 0xce8 [0108.505] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0108.506] GetCurrentProcessId () returned 0xce8 [0108.506] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0108.507] GetCurrentProcessId () returned 0xce8 [0108.507] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0108.508] GetCurrentProcessId () returned 0xce8 [0108.508] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0108.511] GetCurrentProcessId () returned 0xce8 [0108.511] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0108.512] GetCurrentProcessId () returned 0xce8 [0108.512] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x214, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teacher.exe")) returned 1 [0108.513] GetCurrentProcessId () returned 0xce8 [0108.513] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="purpose key need.exe")) returned 1 [0108.514] GetCurrentProcessId () returned 0xce8 [0108.514] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="east_else.exe")) returned 1 [0108.515] GetCurrentProcessId () returned 0xce8 [0108.515] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="born-himself.exe")) returned 1 [0108.517] GetCurrentProcessId () returned 0xce8 [0108.517] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="save.exe")) returned 1 [0108.517] GetCurrentProcessId () returned 0xce8 [0108.517] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="east bill series.exe")) returned 1 [0108.518] GetCurrentProcessId () returned 0xce8 [0108.518] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="violence.exe")) returned 1 [0108.519] GetCurrentProcessId () returned 0xce8 [0108.520] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tend.exe")) returned 1 [0108.521] GetCurrentProcessId () returned 0xce8 [0108.521] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x68c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="campaign worry know.exe")) returned 1 [0108.524] GetCurrentProcessId () returned 0xce8 [0108.524] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x760, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="state-others.exe")) returned 1 [0108.525] GetCurrentProcessId () returned 0xce8 [0108.525] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="headnew.exe")) returned 1 [0108.526] GetCurrentProcessId () returned 0xce8 [0108.526] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="present reason team.exe")) returned 1 [0108.527] GetCurrentProcessId () returned 0xce8 [0108.527] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1018, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="effort represent.exe")) returned 1 [0108.528] GetCurrentProcessId () returned 0xce8 [0108.528] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="live bank.exe")) returned 1 [0108.529] GetCurrentProcessId () returned 0xce8 [0108.529] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1030, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="outside.exe")) returned 1 [0108.531] GetCurrentProcessId () returned 0xce8 [0108.531] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="company-american-cell.exe")) returned 1 [0108.532] GetCurrentProcessId () returned 0xce8 [0108.532] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0108.533] GetCurrentProcessId () returned 0xce8 [0108.533] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x10b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0xe38, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0108.534] GetCurrentProcessId () returned 0xce8 [0108.535] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1100, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0108.536] GetCurrentProcessId () returned 0xce8 [0108.536] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0108.538] GetCurrentProcessId () returned 0xce8 [0108.538] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x111c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0108.539] GetCurrentProcessId () returned 0xce8 [0108.539] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0108.541] GetCurrentProcessId () returned 0xce8 [0108.541] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0108.543] GetCurrentProcessId () returned 0xce8 [0108.543] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0108.545] GetCurrentProcessId () returned 0xce8 [0108.545] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x114c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0108.546] GetCurrentProcessId () returned 0xce8 [0108.546] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x115c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0108.548] GetCurrentProcessId () returned 0xce8 [0108.548] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0108.550] GetCurrentProcessId () returned 0xce8 [0108.550] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1174, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0108.551] GetCurrentProcessId () returned 0xce8 [0108.551] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0108.553] GetCurrentProcessId () returned 0xce8 [0108.554] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0108.555] GetCurrentProcessId () returned 0xce8 [0108.555] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x119c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0108.557] GetCurrentProcessId () returned 0xce8 [0108.557] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x11ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0108.558] GetCurrentProcessId () returned 0xce8 [0108.558] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0108.563] GetCurrentProcessId () returned 0xce8 [0108.563] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x11cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0108.566] GetCurrentProcessId () returned 0xce8 [0108.566] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x11d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0108.567] GetCurrentProcessId () returned 0xce8 [0108.567] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x11e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0108.568] GetCurrentProcessId () returned 0xce8 [0108.569] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x11ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0108.570] GetCurrentProcessId () returned 0xce8 [0108.570] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1200, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0108.571] GetCurrentProcessId () returned 0xce8 [0108.571] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0108.573] GetCurrentProcessId () returned 0xce8 [0108.573] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0108.575] GetCurrentProcessId () returned 0xce8 [0108.575] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0108.576] GetCurrentProcessId () returned 0xce8 [0108.576] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0108.578] GetCurrentProcessId () returned 0xce8 [0108.578] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1238, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0108.581] GetCurrentProcessId () returned 0xce8 [0108.581] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0108.582] GetCurrentProcessId () returned 0xce8 [0108.582] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0108.584] GetCurrentProcessId () returned 0xce8 [0108.584] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x126c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0108.585] GetCurrentProcessId () returned 0xce8 [0108.585] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0108.587] GetCurrentProcessId () returned 0xce8 [0108.587] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1284, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0108.588] GetCurrentProcessId () returned 0xce8 [0108.588] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x128c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0108.589] GetCurrentProcessId () returned 0xce8 [0108.589] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0108.591] GetCurrentProcessId () returned 0xce8 [0108.591] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0108.592] GetCurrentProcessId () returned 0xce8 [0108.592] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0108.593] GetCurrentProcessId () returned 0xce8 [0108.593] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0108.594] GetCurrentProcessId () returned 0xce8 [0108.594] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0108.596] GetCurrentProcessId () returned 0xce8 [0108.596] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0108.597] GetCurrentProcessId () returned 0xce8 [0108.597] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0108.599] GetCurrentProcessId () returned 0xce8 [0108.599] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0108.600] GetCurrentProcessId () returned 0xce8 [0108.600] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0108.601] GetCurrentProcessId () returned 0xce8 [0108.601] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0108.606] GetCurrentProcessId () returned 0xce8 [0108.606] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0108.607] GetCurrentProcessId () returned 0xce8 [0108.607] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0108.608] GetCurrentProcessId () returned 0xce8 [0108.608] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="side_wrong.exe")) returned 1 [0108.611] GetCurrentProcessId () returned 0xce8 [0108.611] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="underless.exe")) returned 1 [0108.613] GetCurrentProcessId () returned 0xce8 [0108.613] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x904, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x368, pcPriClassBase=6, dwFlags=0x0, szExeFile="msfeedssync.exe")) returned 1 [0108.614] GetCurrentProcessId () returned 0xce8 [0108.614] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x394, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0108.615] GetCurrentProcessId () returned 0xce8 [0108.615] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="iTsDZL.exe")) returned 1 [0108.616] GetCurrentProcessId () returned 0xce8 [0108.616] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xce8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xd7c, pcPriClassBase=8, dwFlags=0x0, szExeFile="regsvr32.exe")) returned 1 [0108.617] GetCurrentProcessId () returned 0xce8 [0108.618] CloseHandle (hObject=0x204) returned 1 [0108.618] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xd7c) returned 0x204 [0108.618] QueryFullProcessImageNameW (in: hProcess=0x204, dwFlags=0x0, lpExeName=0xce390, lpdwSize=0xce320 | out: lpExeName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iTsDZL.exe", lpdwSize=0xce320) returned 1 [0108.619] CloseHandle (hObject=0x204) returned 1 [0108.619] PathFindFileNameW (pszPath="C:\\Users\\RDhJ0CNFevzX\\Desktop\\iTsDZL.exe") returned="iTsDZL.exe" [0108.621] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0xce180 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0108.629] lstrlenW (lpString="C:\\Windows\\system32") returned 19 [0108.629] StrCmpNIW (lpStr1="C:\\Users\\RDHJ0C~1\\D", lpStr2="C:\\Windows\\system32", nChar=19) returned -1 [0108.830] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x4801d8 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0108.830] lstrlenW (lpString="C:\\Windows\\system32") returned 19 [0108.830] GetModuleFileNameW (in: hModule=0x1d20000, lpFilename=0xce3a0, nSize=0x104 | out: lpFilename="C:\\Users\\RDHJ0C~1\\Desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx")) returned 0x62 [0108.830] lstrcpyW (in: lpString1=0xcdf30, lpString2="C:\\Users\\RDHJ0C~1\\Desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx" | out: lpString1="C:\\Users\\RDHJ0C~1\\Desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx") returned="C:\\Users\\RDHJ0C~1\\Desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx" [0108.830] lstrcpyW (in: lpString1=0xce140, lpString2="C:\\Windows\\system32\\WIMQPStO\\mlES.dll" | out: lpString1="C:\\Windows\\system32\\WIMQPStO\\mlES.dll") returned="C:\\Windows\\system32\\WIMQPStO\\mlES.dll" [0108.831] SHFileOperationW (in: lpFileOp=0xcdef0*(hwnd=0x0, wFunc=0x1, pFrom="C:\\Users\\RDHJ0C~1\\Desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx", pTo="C:\\Windows\\system32\\WIMQPStO\\mlES.dll", fFlags=0xe14, fAnyOperationsAborted=0, hNameMappings=0x0, lpszProgressTitle=0x0) | out: lpFileOp=0xcdef0*(hwnd=0x0, wFunc=0x1, pFrom="C:\\Users\\RDHJ0C~1\\Desktop\\dba6bdca7d5fc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx", pTo="C:\\Windows\\system32\\WIMQPStO\\mlES.dll", fFlags=0xe14, fAnyOperationsAborted=0, hNameMappings=0x0, lpszProgressTitle=0x0)) returned 0 [0113.387] GetProcessHeap () returned 0x460000 [0113.387] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x28) returned 0x4cb9c0 [0113.451] _snwprintf (in: _Dest=0xce140, _Count=0x104, _Format="%s:Zone.Identifier" | out: _Dest="C:\\Windows\\system32\\WIMQPStO\\mlES.dll:Zone.Identifier") returned 53 [0113.456] GetProcessHeap () returned 0x460000 [0113.457] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x4cb9c0 | out: hHeap=0x460000) returned 1 [0113.459] DeleteFileW (lpFileName="C:\\Windows\\system32\\WIMQPStO\\mlES.dll:Zone.Identifier" (normalized: "c:\\windows\\system32\\wimqpsto\\mles.dll:zone.identifier")) returned 0 [0113.472] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0xce170 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0113.472] GetProcessHeap () returned 0x460000 [0113.472] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x30) returned 0x4bbb60 [0113.472] _snwprintf (in: _Dest=0xce380, _Count=0x104, _Format="%s\\regsvr32.exe \"%s\"" | out: _Dest="C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\WIMQPStO\\mlES.dll\"") returned 72 [0113.472] GetProcessHeap () returned 0x460000 [0113.472] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x4bbb60 | out: hHeap=0x460000) returned 1 [0113.478] PathFindFileNameW (pszPath="C:\\Windows\\system32\\WIMQPStO\\mlES.dll") returned="mlES.dll" [0113.480] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x4cba50 [0113.483] CreateServiceW (in: hSCManager=0x4cba50, lpServiceName="mlES.dll", lpDisplayName="mlES.dll", dwDesiredAccess=0x2, dwServiceType=0x10, dwStartType=0x2, dwErrorControl=0x0, lpBinaryPathName="C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\WIMQPStO\\mlES.dll\"", lpLoadOrderGroup=0x0, lpdwTagId=0x0, lpDependencies=0x0, lpServiceStartName=0x0, lpPassword=0x0 | out: lpdwTagId=0x0) returned 0x4cbae0 [0114.267] GetProcessHeap () returned 0x460000 [0114.268] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x20000) returned 0x4d1c30 [0114.279] GetProcessHeap () returned 0x460000 [0114.279] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x2000) returned 0x4c5e20 [0114.280] EnumServicesStatusExW (in: hSCManager=0x4cba50, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x3, lpServices=0x4d1c30, cbBufSize=0x20000, pcbBytesNeeded=0xce030, lpServicesReturned=0xce028, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4d1c30, pcbBytesNeeded=0xce030, lpServicesReturned=0xce028, lpResumeHandle=0x0) returned 1 [0114.322] GetTickCount () returned 0x20c7327 [0114.324] OpenServiceW (hSCManager=0x4cba50, lpServiceName="AudioEndpointBuilder", dwDesiredAccess=0x1) returned 0x4cbff0 [0114.325] QueryServiceConfig2W (in: hService=0x4cbff0, dwInfoLevel=0x1, lpBuffer=0x4c5e20, cbBufSize=0x2000, pcbBytesNeeded=0xce038 | out: lpBuffer=0x4c5e20, pcbBytesNeeded=0xce038) returned 1 [0114.328] CloseServiceHandle (hSCObject=0x4cbff0) returned 1 [0114.329] ChangeServiceConfig2W (hService=0x4cbae0, dwInfoLevel=0x1, lpInfo=0x4c5e20*(lpDescription="Manages audio devices for the Windows Audio service. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start")) returned 1 [0114.333] GetProcessHeap () returned 0x460000 [0114.333] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x4c5e20 | out: hHeap=0x460000) returned 1 [0114.333] GetProcessHeap () returned 0x460000 [0114.334] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x4d1c30 | out: hHeap=0x460000) returned 1 [0114.337] CloseServiceHandle (hSCObject=0x4cbae0) returned 1 [0114.337] CloseServiceHandle (hSCObject=0x4cba50) returned 1 [0114.338] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0xce190 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0114.338] GetProcessHeap () returned 0x460000 [0114.338] RtlAllocateHeap (HeapHandle=0x460000, Flags=0x8, Size=0x30) returned 0x4bba60 [0114.339] _snwprintf (in: _Dest=0xce3a0, _Count=0x104, _Format="%s\\regsvr32.exe \"%s\"" | out: _Dest="C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\WIMQPStO\\mlES.dll\"") returned 72 [0114.339] GetProcessHeap () returned 0x460000 [0114.340] HeapFree (in: hHeap=0x460000, dwFlags=0x0, lpMem=0x4bba60 | out: hHeap=0x460000) returned 1 [0114.341] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\WIMQPStO\\mlES.dll\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0xce0a0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xce088 | out: lpCommandLine="C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\WIMQPStO\\mlES.dll\"", lpProcessInformation=0xce088*(hProcess=0x2e8, hThread=0x230, dwProcessId=0x5a8, dwThreadId=0x770)) returned 1 [0114.548] CloseHandle (hObject=0x2e8) returned 1 [0114.548] CloseHandle (hObject=0x230) returned 1 [0114.548] ExitProcess (uExitCode=0x0) [0114.551] HeapFree (in: hHeap=0x2150000, dwFlags=0x0, lpMem=0x2150830 | out: hHeap=0x2150000) returned 1 [0114.622] HeapFree (in: hHeap=0x2150000, dwFlags=0x0, lpMem=0x2150c30 | out: hHeap=0x2150000) returned 1 [0114.624] LocalFree (hMem=0x486b30) returned 0x0 [0114.624] HeapFree (in: hHeap=0x2150000, dwFlags=0x0, lpMem=0x2150c60 | out: hHeap=0x2150000) returned 1 [0114.624] LocalFree (hMem=0x486e50) returned 0x0 [0114.625] HeapFree (in: hHeap=0x2150000, dwFlags=0x0, lpMem=0x2150c10 | out: hHeap=0x2150000) returned 1 [0114.625] LocalFree (hMem=0x486f20) returned 0x0 [0114.626] HeapFree (in: hHeap=0x2150000, dwFlags=0x0, lpMem=0x21559d0 | out: hHeap=0x2150000) returned 1 [0114.627] LocalFree (hMem=0x486a40) returned 0x0 [0114.627] LocalFree (hMem=0x4868b0) returned 0x0 [0114.630] HeapFree (in: hHeap=0x2150000, dwFlags=0x0, lpMem=0x21549c0 | out: hHeap=0x2150000) returned 1 Thread: id = 10 os_tid = 0x284 Thread: id = 11 os_tid = 0xcd0 [0109.322] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x2c8) returned 0x2150cc0 [0109.322] GetCurrentThreadId () returned 0xcd0 Thread: id = 12 os_tid = 0xf6c [0109.674] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x2c8) returned 0x2156a00 [0109.675] GetCurrentThreadId () returned 0xf6c Thread: id = 13 os_tid = 0xf68 [0110.526] RtlAllocateHeap (HeapHandle=0x2150000, Flags=0x8, Size=0x2c8) returned 0x2156cd0 [0110.526] GetCurrentThreadId () returned 0xf68 Process: id = "3" image_name = "regsvr32.exe" filename = "c:\\windows\\system32\\regsvr32.exe" page_root = "0x50bcb000" os_pid = "0x5a8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xce8" cmd_line = "C:\\Windows\\system32\\regsvr32.exe \"C:\\Windows\\system32\\WIMQPStO\\mlES.dll\"" cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\" os_username = "XC64ZB\\RDhJ0CNFevzX" bitness = "32" os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f46a" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 576 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 577 start_va = 0x30000 end_va = 0x44fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 578 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 579 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 580 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 581 start_va = 0x7df5fffc0000 end_va = 0x7df5fffe2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5fffc0000" filename = "" Region: id = 582 start_va = 0x7df5ffff0000 end_va = 0x7ff5fffeffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffff0000" filename = "" Region: id = 583 start_va = 0x7ff6e8c90000 end_va = 0x7ff6e8c98fff monitored = 1 entry_point = 0x7ff6e8c92810 region_type = mapped_file name = "regsvr32.exe" filename = "\\Windows\\System32\\regsvr32.exe" (normalized: "c:\\windows\\system32\\regsvr32.exe") Region: id = 584 start_va = 0x7ff92a680000 end_va = 0x7ff92a840fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 586 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 587 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 588 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 590 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 591 start_va = 0x7ff9271d0000 end_va = 0x7ff9273b7fff monitored = 0 entry_point = 0x7ff9271fba70 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 592 start_va = 0x7ff927b50000 end_va = 0x7ff927bfcfff monitored = 0 entry_point = 0x7ff927b681a0 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 593 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 594 start_va = 0x7df5ffec0000 end_va = 0x7df5fffbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007df5ffec0000" filename = "" Region: id = 595 start_va = 0x100000 end_va = 0x1bdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 596 start_va = 0x7ff925490000 end_va = 0x7ff925508fff monitored = 0 entry_point = 0x7ff9254afb90 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 597 start_va = 0x7df5ffe40000 end_va = 0x7df5ffebdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\AppPatch\\apppatch64\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\apppatch64\\sysmain.sdb") Region: id = 598 start_va = 0x7ff90e810000 end_va = 0x7ff90ec92fff monitored = 0 entry_point = 0x7ff90e814e70 region_type = mapped_file name = "aclayers.dll" filename = "\\Windows\\AppPatch\\apppatch64\\AcLayers.dll" (normalized: "c:\\windows\\apppatch\\apppatch64\\aclayers.dll") Region: id = 599 start_va = 0x7ff929e40000 end_va = 0x7ff929edcfff monitored = 0 entry_point = 0x7ff929e478a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 600 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 601 start_va = 0x7ff92a520000 end_va = 0x7ff92a675fff monitored = 0 entry_point = 0x7ff92a52a8d0 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 602 start_va = 0x7ff929ee0000 end_va = 0x7ff92a065fff monitored = 0 entry_point = 0x7ff929f2ffc0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 603 start_va = 0x7ff927ed0000 end_va = 0x7ff927f21fff monitored = 0 entry_point = 0x7ff927edf530 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 604 start_va = 0x7ff9282c0000 end_va = 0x7ff92853cfff monitored = 0 entry_point = 0x7ff928394970 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 605 start_va = 0x7ff928540000 end_va = 0x7ff92865bfff monitored = 0 entry_point = 0x7ff9285802b0 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 606 start_va = 0x7ff927a10000 end_va = 0x7ff927a79fff monitored = 0 entry_point = 0x7ff927a46d50 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 607 start_va = 0x180000000 end_va = 0x180002fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 608 start_va = 0x7ff916410000 end_va = 0x7ff916493fff monitored = 0 entry_point = 0x7ff916422830 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 609 start_va = 0x7ff926b30000 end_va = 0x7ff926b58fff monitored = 0 entry_point = 0x7ff926b44530 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 610 start_va = 0x7ff91a560000 end_va = 0x7ff91a570fff monitored = 0 entry_point = 0x7ff91a563e10 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 611 start_va = 0x680000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 612 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 613 start_va = 0x400000 end_va = 0x438fff monitored = 0 entry_point = 0x4012f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 614 start_va = 0x680000 end_va = 0x807fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 615 start_va = 0x860000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 616 start_va = 0x7ff927c80000 end_va = 0x7ff927cbafff monitored = 0 entry_point = 0x7ff927c812f0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 617 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 618 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 619 start_va = 0x1f0000 end_va = 0x1f1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "regsvr32.exe.mui" filename = "\\Windows\\System32\\en-US\\regsvr32.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\regsvr32.exe.mui") Region: id = 620 start_va = 0x870000 end_va = 0x9f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 621 start_va = 0xa00000 end_va = 0x1dfffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 622 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 623 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 624 start_va = 0x7ff928830000 end_va = 0x7ff9288d6fff monitored = 0 entry_point = 0x7ff9288458d0 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 625 start_va = 0x7ff927af0000 end_va = 0x7ff927b4afff monitored = 0 entry_point = 0x7ff927b038b0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 626 start_va = 0x420000 end_va = 0x49ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 627 start_va = 0x7ff928110000 end_va = 0x7ff928252fff monitored = 0 entry_point = 0x7ff928138210 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 628 start_va = 0x7ff91da80000 end_va = 0x7ff91dcf3fff monitored = 0 entry_point = 0x7ff91daf0400 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll") Region: id = 629 start_va = 0x4a0000 end_va = 0x55ffff monitored = 0 entry_point = 0x4c0da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 630 start_va = 0x4a0000 end_va = 0x4a0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 631 start_va = 0x4b0000 end_va = 0x4b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 632 start_va = 0x1e00000 end_va = 0x1edcfff monitored = 0 entry_point = 0x1e5e0b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 633 start_va = 0x7ff926ca0000 end_va = 0x7ff926caefff monitored = 0 entry_point = 0x7ff926ca3210 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 634 start_va = 0x7ff925530000 end_va = 0x7ff9255c5fff monitored = 0 entry_point = 0x7ff925555570 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 635 start_va = 0x1e00000 end_va = 0x1f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 636 start_va = 0x1e00000 end_va = 0x1f00fff monitored = 0 entry_point = 0x1e57708 region_type = mapped_file name = "mles.dllfc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx" filename = "\\Windows\\System32\\WIMQPStO\\mlES.dllfc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx" (normalized: "c:\\windows\\system32\\wimqpsto\\mles.dllfc58fee89cecdc9566cc1bfd2f33cf5a6b4852634d7981b31da26.exe.ocx") Region: id = 637 start_va = 0x1f60000 end_va = 0x1f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 638 start_va = 0x4a0000 end_va = 0x4a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 639 start_va = 0x7ff927f30000 end_va = 0x7ff92803afff monitored = 0 entry_point = 0x7ff927f52300 region_type = mapped_file name = "comdlg32.dll" filename = "\\Windows\\System32\\comdlg32.dll" (normalized: "c:\\windows\\system32\\comdlg32.dll") Region: id = 640 start_va = 0x7ff926ed0000 end_va = 0x7ff926f84fff monitored = 0 entry_point = 0x7ff926f122e0 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 641 start_va = 0x7ff9288e0000 end_va = 0x7ff929e3efff monitored = 0 entry_point = 0x7ff928a411f0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 642 start_va = 0x7ff927180000 end_va = 0x7ff9271c2fff monitored = 0 entry_point = 0x7ff927194b50 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 643 start_va = 0x7ff9273c0000 end_va = 0x7ff927a03fff monitored = 0 entry_point = 0x7ff9275864b0 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 644 start_va = 0x7ff926cb0000 end_va = 0x7ff926cfafff monitored = 0 entry_point = 0x7ff926cb35f0 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 645 start_va = 0x7ff926d00000 end_va = 0x7ff926d13fff monitored = 0 entry_point = 0x7ff926d052e0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 646 start_va = 0x7ff926d30000 end_va = 0x7ff926db5fff monitored = 0 entry_point = 0x7ff926d3d8f0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 647 start_va = 0x7ff926f90000 end_va = 0x7ff926fa6fff monitored = 0 entry_point = 0x7ff926f91390 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 648 start_va = 0x7ff928040000 end_va = 0x7ff928100fff monitored = 0 entry_point = 0x7ff928060da0 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 649 start_va = 0x7ff91e8c0000 end_va = 0x7ff91e8cbfff monitored = 0 entry_point = 0x7ff91e8c1860 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\System32\\davhlpr.dll" (normalized: "c:\\windows\\system32\\davhlpr.dll") Region: id = 650 start_va = 0x7ff925a20000 end_va = 0x7ff925a51fff monitored = 0 entry_point = 0x7ff925a32340 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 651 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 652 start_va = 0x4c0000 end_va = 0x57bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 653 start_va = 0x810000 end_va = 0x813fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 654 start_va = 0x820000 end_va = 0x826fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 655 start_va = 0x1f70000 end_va = 0x204ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 656 start_va = 0x830000 end_va = 0x836fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 657 start_va = 0x2050000 end_va = 0x214ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 658 start_va = 0x2150000 end_va = 0x80bafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 659 start_va = 0x840000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 660 start_va = 0x1f10000 end_va = 0x1f3dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f10000" filename = "" Region: id = 661 start_va = 0x1f70000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 662 start_va = 0x2040000 end_va = 0x204ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002040000" filename = "" Region: id = 663 start_va = 0x850000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 664 start_va = 0x7ff926fb0000 end_va = 0x7ff927176fff monitored = 0 entry_point = 0x7ff92700db80 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 665 start_va = 0x7ff926d20000 end_va = 0x7ff926d2ffff monitored = 0 entry_point = 0x7ff926d256e0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 666 start_va = 0x7ff917680000 end_va = 0x7ff917837fff monitored = 0 entry_point = 0x7ff9176ee630 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 667 start_va = 0x7ff920de0000 end_va = 0x7ff921161fff monitored = 0 entry_point = 0x7ff920e31220 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 668 start_va = 0x7ff926400000 end_va = 0x7ff92641efff monitored = 0 entry_point = 0x7ff926405d30 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 669 start_va = 0x7ff917eb0000 end_va = 0x7ff91813dfff monitored = 0 entry_point = 0x7ff917f80f00 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 670 start_va = 0x7ff925320000 end_va = 0x7ff925332fff monitored = 0 entry_point = 0x7ff925322760 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 671 start_va = 0x1f40000 end_va = 0x1f4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f40000" filename = "" Region: id = 672 start_va = 0x1f40000 end_va = 0x1f5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f40000" filename = "" Region: id = 673 start_va = 0x1fa0000 end_va = 0x1faefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001fa0000" filename = "" Region: id = 674 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 675 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 676 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 677 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 678 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 679 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 680 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 681 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 682 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 683 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 684 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 685 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 686 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 687 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 688 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 689 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 690 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 691 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 692 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 693 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 694 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 695 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 696 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 697 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 698 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 699 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 700 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 701 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 702 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 703 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 704 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 705 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 706 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 707 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 708 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 709 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 710 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 711 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 712 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 713 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 714 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 715 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 716 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 717 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 718 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 719 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 720 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 721 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 722 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 723 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 724 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 725 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 726 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 727 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 728 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 729 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 730 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 731 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 732 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 733 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 734 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 735 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 736 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 737 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 738 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 739 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 740 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 741 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 742 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 743 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 744 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 745 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 746 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 747 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 748 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 749 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 750 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 751 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 752 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 753 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 754 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 755 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 756 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 757 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 758 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 759 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 760 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 761 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 762 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 763 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 764 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 765 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 766 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 767 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 768 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 769 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 770 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 771 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 772 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 773 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 774 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 775 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 776 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 777 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 778 start_va = 0x1f40000 end_va = 0x1f4efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 779 start_va = 0x1f40000 end_va = 0x1f40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 780 start_va = 0x2150000 end_va = 0x2486fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 781 start_va = 0x1f50000 end_va = 0x1f5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f50000" filename = "" Region: id = 782 start_va = 0x1fa0000 end_va = 0x1fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 783 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 784 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 785 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 786 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 787 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 788 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 789 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 790 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 791 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 792 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 793 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 794 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 795 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 796 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 797 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 798 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 799 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 800 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 801 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 802 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 803 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 804 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 805 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 806 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 807 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 808 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 809 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 810 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 811 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 812 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 813 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 814 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 815 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 816 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 817 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 818 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 819 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 820 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 821 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 822 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 823 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 824 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 825 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 826 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 827 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 828 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 829 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 830 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 831 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 832 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 833 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 834 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 835 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 836 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 837 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 838 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 839 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 840 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 841 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 842 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 843 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 844 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 845 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 846 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 847 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 848 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 849 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 850 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 851 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 852 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 853 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 854 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 855 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 856 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 857 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 858 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 859 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 860 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 861 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 862 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 863 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 864 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 865 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 866 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 867 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 868 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 869 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 870 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 871 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 872 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 873 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 874 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 875 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 876 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 877 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 878 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 879 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 880 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 881 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 882 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 883 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 884 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 885 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 886 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 887 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 888 start_va = 0x1f50000 end_va = 0x1f5efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 889 start_va = 0x7ff926920000 end_va = 0x7ff92694cfff monitored = 0 entry_point = 0x7ff926939d40 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 890 start_va = 0x1f50000 end_va = 0x1f50fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "counters.dat" filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\INetCache\\counters.dat" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\inetcache\\counters.dat") Region: id = 891 start_va = 0x7ff927c10000 end_va = 0x7ff927c7afff monitored = 0 entry_point = 0x7ff927c290c0 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 892 start_va = 0x7ff91ecb0000 end_va = 0x7ff91ecc4fff monitored = 0 entry_point = 0x7ff91ecb2dc0 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 893 start_va = 0x7ff91f8b0000 end_va = 0x7ff91f8e7fff monitored = 0 entry_point = 0x7ff91f8c8cc0 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 894 start_va = 0x7ff91fd70000 end_va = 0x7ff91fe37fff monitored = 0 entry_point = 0x7ff91fdb13f0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 895 start_va = 0x1fa0000 end_va = 0x201ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 896 start_va = 0x7ff926570000 end_va = 0x7ff9265cbfff monitored = 0 entry_point = 0x7ff926586f70 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 897 start_va = 0x7ff91f6a0000 end_va = 0x7ff91f6aafff monitored = 0 entry_point = 0x7ff91f6a1d30 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 898 start_va = 0x7ff92a4a0000 end_va = 0x7ff92a4a7fff monitored = 0 entry_point = 0x7ff92a4a1ea0 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 899 start_va = 0x2490000 end_va = 0x250ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002490000" filename = "" Region: id = 900 start_va = 0x7ff9257e0000 end_va = 0x7ff925889fff monitored = 0 entry_point = 0x7ff925807910 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 901 start_va = 0x2020000 end_va = 0x2020fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002020000" filename = "" Region: id = 902 start_va = 0x2510000 end_va = 0x290afff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002510000" filename = "" Region: id = 903 start_va = 0x2030000 end_va = 0x2039fff monitored = 0 entry_point = 0x20315c0 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 904 start_va = 0x2910000 end_va = 0x298ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 905 start_va = 0x7ff9261f0000 end_va = 0x7ff926269fff monitored = 0 entry_point = 0x7ff926211a50 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 906 start_va = 0x2030000 end_va = 0x2030fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002030000" filename = "" Region: id = 907 start_va = 0x7ff917920000 end_va = 0x7ff917933fff monitored = 0 entry_point = 0x7ff917923710 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 908 start_va = 0x7ff926810000 end_va = 0x7ff926836fff monitored = 0 entry_point = 0x7ff926820aa0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 909 start_va = 0x7ff9267d0000 end_va = 0x7ff926809fff monitored = 0 entry_point = 0x7ff9267d8d20 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 910 start_va = 0x2990000 end_va = 0x2990fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002990000" filename = "" Region: id = 911 start_va = 0x7ff9262f0000 end_va = 0x7ff9262f9fff monitored = 0 entry_point = 0x7ff9262f1830 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 912 start_va = 0x7ff926dc0000 end_va = 0x7ff926e14fff monitored = 0 entry_point = 0x7ff926dd7970 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 913 start_va = 0x7ff926620000 end_va = 0x7ff926636fff monitored = 0 entry_point = 0x7ff9266279d0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 914 start_va = 0x7ff9262b0000 end_va = 0x7ff9262e3fff monitored = 0 entry_point = 0x7ff9262cae70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 915 start_va = 0x7ff926740000 end_va = 0x7ff92674afff monitored = 0 entry_point = 0x7ff9267419a0 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 916 start_va = 0x2990000 end_va = 0x2a0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002990000" filename = "" Region: id = 917 start_va = 0x2a10000 end_va = 0x2b0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a10000" filename = "" Region: id = 918 start_va = 0x2b10000 end_va = 0x2d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b10000" filename = "" Region: id = 919 start_va = 0x7ff925ca0000 end_va = 0x7ff925cc3fff monitored = 0 entry_point = 0x7ff925ca3260 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 920 start_va = 0x7ff9178c0000 end_va = 0x7ff9178eefff monitored = 0 entry_point = 0x7ff9178cec60 region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\System32\\cryptnet.dll" (normalized: "c:\\windows\\system32\\cryptnet.dll") Region: id = 921 start_va = 0x2d10000 end_va = 0x2d8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d10000" filename = "" Region: id = 922 start_va = 0x7ff91f790000 end_va = 0x7ff91f7a5fff monitored = 0 entry_point = 0x7ff91f7919f0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 923 start_va = 0x7ff91f770000 end_va = 0x7ff91f789fff monitored = 0 entry_point = 0x7ff91f772430 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 924 start_va = 0x7ff91ec30000 end_va = 0x7ff91ecaffff monitored = 0 entry_point = 0x7ff91ec5d280 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 925 start_va = 0x2030000 end_va = 0x2034fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 926 start_va = 0x2d90000 end_va = 0x2d9ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 927 start_va = 0x7ff91e640000 end_va = 0x7ff91e649fff monitored = 0 entry_point = 0x7ff91e6414c0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 928 start_va = 0x7ff91f5e0000 end_va = 0x7ff91f646fff monitored = 0 entry_point = 0x7ff91f5e63e0 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 929 start_va = 0x2da0000 end_va = 0x2e1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002da0000" filename = "" Region: id = 930 start_va = 0x7ff923550000 end_va = 0x7ff923578fff monitored = 0 entry_point = 0x7ff92355ca00 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 931 start_va = 0x7ff9179d0000 end_va = 0x7ff9179edfff monitored = 0 entry_point = 0x7ff9179def80 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Thread: id = 14 os_tid = 0x770 [0115.080] GetStartupInfoW (in: lpStartupInfo=0xcfed0 | out: lpStartupInfo=0xcfed0*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\regsvr32.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x7ff6e8c92819, hStdError=0x0)) [0115.081] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff6e8c90000 [0115.081] __set_app_type (_Type=0x2) [0115.081] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff6e8c92b20) returned 0x0 [0115.081] __wgetmainargs (in: _Argc=0x7ff6e8c950e8, _Argv=0x7ff6e8c950f0, _Env=0x7ff6e8c950f8, _DoWildCard=0, _StartInfo=0x7ff6e8c95104 | out: _Argc=0x7ff6e8c950e8, _Argv=0x7ff6e8c950f0, _Env=0x7ff6e8c950f8) returned 0 [0115.083] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0115.083] lstrlenW (lpString="C:\\Windows\\system32\\WIMQPStO\\mlES.dll") returned 37 [0115.083] OleInitialize (pvReserved=0x0) returned 0x0 [0115.171] _wsplitpath_s (in: _FullPath="C:\\Windows\\system32\\WIMQPStO\\mlES.dll", _Drive=0x0, _DriveCount=0x0, _Dir=0x0, _DirCount=0x0, _Filename=0x0, _FilenameCount=0x0, _Ext=0xce760, _ExtCount=0x100 | out: _Drive=0x0, _Dir=0x0, _Filename=0x0, _Ext=".dll") returned 0x0 [0115.171] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey=".dll", ulOptions=0x0, samDesired=0x1, phkResult=0xce538 | out: phkResult=0xce538*=0x13e) returned 0x0 [0115.172] RegQueryValueExW (in: hKey=0x13e, lpValueName=0x0, lpReserved=0x0, lpType=0x0, lpData=0xce550, lpcbData=0xce530*=0x200 | out: lpType=0x0, lpData=0xce550*=0x64, lpcbData=0xce530*=0x10) returned 0x0 [0115.172] RegCloseKey (hKey=0x13e) returned 0x0 [0115.172] RegOpenKeyExW (in: hKey=0xffffffff80000000, lpSubKey="dllfile", ulOptions=0x0, samDesired=0x1, phkResult=0xce538 | out: phkResult=0xce538*=0x13e) returned 0x0 [0115.172] RegOpenKeyExW (in: hKey=0x13e, lpSubKey="AutoRegister", ulOptions=0x0, samDesired=0x1, phkResult=0xce540 | out: phkResult=0xce540*=0x0) returned 0x2 [0115.172] RegCloseKey (hKey=0x13e) returned 0x0 [0115.173] SetErrorMode (uMode=0x1) returned 0x0 [0115.173] LoadLibraryExW (lpLibFileName="C:\\Windows\\system32\\WIMQPStO\\mlES.dll", hFile=0x0, dwFlags=0x8) returned 0x1e00000 [0118.700] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="kernel32.dll", BaseAddress=0xcd600 | out: BaseAddress=0xcd600*=0x7ff927b50000) returned 0x0 [0118.701] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="VirtualAlloc", Ordinal=0x0, ProcedureAddress=0xcd6d0 | out: ProcedureAddress=0xcd6d0*=0x7ff927b728c0) returned 0x0 [0118.702] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="VirtualProtect", Ordinal=0x0, ProcedureAddress=0xcd700 | out: ProcedureAddress=0xcd700*=0x7ff927b73a90) returned 0x0 [0118.702] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="FlushInstructionCache", Ordinal=0x0, ProcedureAddress=0xcd708 | out: ProcedureAddress=0xcd708*=0x7ff927b70c70) returned 0x0 [0118.702] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="GetNativeSystemInfo", Ordinal=0x0, ProcedureAddress=0xcd748 | out: ProcedureAddress=0xcd748*=0x7ff927b78a00) returned 0x0 [0118.703] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="Sleep", Ordinal=0x0, ProcedureAddress=0xcd6f0 | out: ProcedureAddress=0xcd6f0*=0x7ff927b6b7b0) returned 0x0 [0118.703] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="RtlAddFunctionTable", Ordinal=0x0, ProcedureAddress=0xcd750 | out: ProcedureAddress=0xcd750*=0x7ff927b76a10) returned 0x0 [0118.703] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="LoadLibraryA", Ordinal=0x0, ProcedureAddress=0xcd6f8 | out: ProcedureAddress=0xcd6f8*=0x7ff927b774d0) returned 0x0 [0118.703] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="FindResourceW", Ordinal=0x0, ProcedureAddress=0xcd720 | out: ProcedureAddress=0xcd720*=0x7ff927b769f0) returned 0x0 [0118.706] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="LoadResource", Ordinal=0x0, ProcedureAddress=0xcd728 | out: ProcedureAddress=0xcd728*=0x7ff927b73e60) returned 0x0 [0118.706] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="SizeofResource", Ordinal=0x0, ProcedureAddress=0xcd730 | out: ProcedureAddress=0xcd730*=0x7ff927b74460) returned 0x0 [0118.706] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="LockResource", Ordinal=0x0, ProcedureAddress=0xcd738 | out: ProcedureAddress=0xcd738*=0x7ff927b74450) returned 0x0 [0118.706] LdrGetProcedureAddress (in: BaseAddress=0x7ff927b50000, Name="FreeResource", Ordinal=0x0, ProcedureAddress=0xcd740 | out: ProcedureAddress=0xcd740*=0x7ff927b78ee0) returned 0x0 [0118.706] FindResourceW (hModule=0x1e00000, lpName=0x6dde, lpType=0x17) returned 0x1ec6c80 [0118.707] LoadResource (hModule=0x1e00000, hResInfo=0x1ec6c80) returned 0x1ecfff8 [0118.707] SizeofResource (hModule=0x1e00000, hResInfo=0x1ec6c80) returned 0x2d600 [0118.707] LockResource (hResData=0x1ecfff8) returned 0x1ecfff8 [0118.707] VirtualAlloc (lpAddress=0x0, dwSize=0x2d600, flAllocationType=0x3000, flProtect=0x40) returned 0x1f10000 [0118.721] FreeResource (hResData=0x1ecfff8) returned 0 [0118.721] GetNativeSystemInfo (in: lpSystemInfo=0xcd760 | out: lpSystemInfo=0xcd760*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0118.721] VirtualAlloc (lpAddress=0x180000000, dwSize=0x30000, flAllocationType=0x3000, flProtect=0x4) returned 0x0 [0118.722] VirtualAlloc (lpAddress=0x0, dwSize=0x30000, flAllocationType=0x3000, flProtect=0x4) returned 0x1f70000 [0118.729] VirtualProtect (in: lpAddress=0x1f71000, dwSize=0x2b600, flNewProtect=0x20, lpflOldProtect=0xcd7e8 | out: lpflOldProtect=0xcd7e8*=0x4) returned 1 [0118.741] VirtualProtect (in: lpAddress=0x1f9d000, dwSize=0xc00, flNewProtect=0x2, lpflOldProtect=0xcd7e8 | out: lpflOldProtect=0xcd7e8*=0x4) returned 1 [0118.741] VirtualProtect (in: lpAddress=0x1f9f000, dwSize=0x1000, flNewProtect=0x2, lpflOldProtect=0xcd7e8 | out: lpflOldProtect=0xcd7e8*=0x4) returned 1 [0118.741] FlushInstructionCache (hProcess=0xffffffffffffffff, lpBaseAddress=0x0, dwSize=0x0) returned 1 [0118.741] RtlAddFunctionTable (FunctionTable=0x1f9f000, EntryCount=0x13a, BaseAddress=0x1f70000, TargetGp=0x7ff927b76a10) returned 1 [0118.749] SetErrorMode (uMode=0x0) returned 0x1 [0118.749] GetProcAddress (hModule=0x1e00000, lpProcName="DllRegisterServer") returned 0x1e091a0 [0118.751] DllRegisterServer () [0118.767] GetProcessHeap () returned 0x580000 [0118.769] GetModuleHandleA (lpModuleName="NTDLL") returned 0x7ff92a680000 [0118.769] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x68) returned 0x58db90 [0118.769] GetProcessHeap () returned 0x580000 [0118.769] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x20) returned 0x594ef0 [0118.770] LoadLibraryW (lpLibFileName="advapi32.dll") returned 0x7ff928830000 [0118.772] GetProcessHeap () returned 0x580000 [0118.772] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x594ef0 | out: hHeap=0x580000) returned 1 [0118.775] GetProcessHeap () returned 0x580000 [0118.775] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x18) returned 0x592a60 [0118.775] LoadLibraryW (lpLibFileName="bcrypt.dll") returned 0x7ff926b30000 [0118.775] GetProcessHeap () returned 0x580000 [0118.775] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x592a60 | out: hHeap=0x580000) returned 1 [0118.775] GetProcessHeap () returned 0x580000 [0118.776] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x18) returned 0x5928a0 [0118.776] LoadLibraryW (lpLibFileName="crypt32.dll") returned 0x7ff926fb0000 [0118.799] GetProcessHeap () returned 0x580000 [0118.799] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5928a0 | out: hHeap=0x580000) returned 1 [0118.799] GetProcessHeap () returned 0x580000 [0118.799] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x18) returned 0x592aa0 [0118.799] LoadLibraryW (lpLibFileName="shell32.dll") returned 0x7ff9288e0000 [0118.800] GetProcessHeap () returned 0x580000 [0118.800] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x592aa0 | out: hHeap=0x580000) returned 1 [0118.801] GetProcessHeap () returned 0x580000 [0118.801] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x18) returned 0x592900 [0118.801] LoadLibraryW (lpLibFileName="shlwapi.dll") returned 0x7ff927ed0000 [0118.801] GetProcessHeap () returned 0x580000 [0118.801] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x592900 | out: hHeap=0x580000) returned 1 [0118.803] GetProcessHeap () returned 0x580000 [0118.803] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x18) returned 0x592b40 [0118.803] LoadLibraryW (lpLibFileName="urlmon.dll") returned 0x7ff917680000 [0118.829] GetProcessHeap () returned 0x580000 [0118.829] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x592b40 | out: hHeap=0x580000) returned 1 [0118.829] GetProcessHeap () returned 0x580000 [0118.829] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x18) returned 0x592a60 [0118.829] LoadLibraryW (lpLibFileName="userenv.dll") returned 0x7ff926400000 [0118.838] GetProcessHeap () returned 0x580000 [0118.838] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x592a60 | out: hHeap=0x580000) returned 1 [0118.838] GetProcessHeap () returned 0x580000 [0118.838] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x18) returned 0x592a40 [0118.838] LoadLibraryW (lpLibFileName="wininet.dll") returned 0x7ff917eb0000 [0118.872] GetProcessHeap () returned 0x580000 [0118.872] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x592a40 | out: hHeap=0x580000) returned 1 [0118.872] GetProcessHeap () returned 0x580000 [0118.872] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x20) returned 0x594f20 [0118.872] LoadLibraryW (lpLibFileName="wtsapi32.dll") returned 0x7ff925320000 [0118.878] GetProcessHeap () returned 0x580000 [0118.878] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x594f20 | out: hHeap=0x580000) returned 1 [0118.878] GetProcessHeap () returned 0x580000 [0118.878] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x40) returned 0x595a60 [0118.878] GetProcessHeap () returned 0x580000 [0118.878] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x4000) returned 0x5a6d80 [0118.879] GetProcessHeap () returned 0x580000 [0118.879] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x8) returned 0x5958f0 [0118.879] BCryptOpenAlgorithmProvider (in: phAlgorithm=0xce588, pszAlgId="RNG", pszImplementation=0x0, dwFlags=0x0 | out: phAlgorithm=0xce588) returned 0x0 [0118.881] GetProcessHeap () returned 0x580000 [0118.881] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5958f0 | out: hHeap=0x580000) returned 1 [0118.882] BCryptGenRandom (in: hAlgorithm=0x5a1160, pbBuffer=0x5a6d80, cbBuffer=0x4000, dwFlags=0x0 | out: pbBuffer=0x5a6d80) returned 0x0 [0118.893] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5a1160, dwFlags=0x0 | out: hAlgorithm=0x5a1160) returned 0x0 [0118.894] GetProcessHeap () returned 0x580000 [0118.894] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x230) returned 0x59fde0 [0118.898] GetModuleFileNameW (in: hModule=0x1e00000, lpFilename=0x59fe08, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\WIMQPStO\\mlES.dll" (normalized: "c:\\windows\\system32\\wimqpsto\\mles.dll")) returned 0x25 [0118.899] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x5ab230 [0118.913] CloseServiceHandle (hSCObject=0x5ab230) returned 1 [0118.916] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x204 [0118.941] Process32FirstW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0118.943] GetCurrentProcessId () returned 0x5a8 [0118.944] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0118.945] GetCurrentProcessId () returned 0x5a8 [0118.945] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0118.946] GetCurrentProcessId () returned 0x5a8 [0118.946] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0118.947] GetCurrentProcessId () returned 0x5a8 [0118.947] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0118.948] GetCurrentProcessId () returned 0x5a8 [0118.948] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1bc, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0118.950] GetCurrentProcessId () returned 0x5a8 [0118.950] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x200, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1bc, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0118.951] GetCurrentProcessId () returned 0x5a8 [0118.951] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c4, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0118.952] GetCurrentProcessId () returned 0x5a8 [0118.952] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c4, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0118.953] GetCurrentProcessId () returned 0x5a8 [0118.953] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x278, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2b, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.954] GetCurrentProcessId () returned 0x5a8 [0118.954] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.955] GetCurrentProcessId () returned 0x5a8 [0118.955] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x30c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x200, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0118.956] GetCurrentProcessId () returned 0x5a8 [0118.956] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x61, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.957] GetCurrentProcessId () returned 0x5a8 [0118.957] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.959] GetCurrentProcessId () returned 0x5a8 [0118.959] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.961] GetCurrentProcessId () returned 0x5a8 [0118.961] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.962] GetCurrentProcessId () returned 0x5a8 [0118.962] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.963] GetCurrentProcessId () returned 0x5a8 [0118.963] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.966] GetCurrentProcessId () returned 0x5a8 [0118.966] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x470, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.967] GetCurrentProcessId () returned 0x5a8 [0118.967] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0118.967] GetCurrentProcessId () returned 0x5a8 [0118.967] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0118.968] GetCurrentProcessId () returned 0x5a8 [0118.968] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0118.969] GetCurrentProcessId () returned 0x5a8 [0118.969] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x6d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0118.970] GetCurrentProcessId () returned 0x5a8 [0118.970] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.970] GetCurrentProcessId () returned 0x5a8 [0118.970] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x804, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0118.971] GetCurrentProcessId () returned 0x5a8 [0118.971] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0118.972] GetCurrentProcessId () returned 0x5a8 [0118.972] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0118.973] GetCurrentProcessId () returned 0x5a8 [0118.973] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xab4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="SkypeHost.exe")) returned 1 [0118.973] GetCurrentProcessId () returned 0x5a8 [0118.973] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0118.974] GetCurrentProcessId () returned 0x5a8 [0118.974] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0118.975] GetCurrentProcessId () returned 0x5a8 [0118.975] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xef0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.976] GetCurrentProcessId () returned 0x5a8 [0118.976] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xda0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0118.977] GetCurrentProcessId () returned 0x5a8 [0118.977] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xec8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x368, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0118.977] GetCurrentProcessId () returned 0x5a8 [0118.977] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xcec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0118.978] GetCurrentProcessId () returned 0x5a8 [0118.979] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0118.980] GetCurrentProcessId () returned 0x5a8 [0118.980] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0118.980] GetCurrentProcessId () returned 0x5a8 [0118.980] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0118.981] GetCurrentProcessId () returned 0x5a8 [0118.981] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0118.982] GetCurrentProcessId () returned 0x5a8 [0118.982] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0118.983] GetCurrentProcessId () returned 0x5a8 [0118.983] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x214, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teacher.exe")) returned 1 [0118.983] GetCurrentProcessId () returned 0x5a8 [0118.984] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="purpose key need.exe")) returned 1 [0118.984] GetCurrentProcessId () returned 0x5a8 [0118.984] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="east_else.exe")) returned 1 [0118.985] GetCurrentProcessId () returned 0x5a8 [0118.985] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="born-himself.exe")) returned 1 [0118.986] GetCurrentProcessId () returned 0x5a8 [0118.986] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="save.exe")) returned 1 [0118.987] GetCurrentProcessId () returned 0x5a8 [0118.987] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="east bill series.exe")) returned 1 [0118.987] GetCurrentProcessId () returned 0x5a8 [0118.987] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="violence.exe")) returned 1 [0118.988] GetCurrentProcessId () returned 0x5a8 [0118.988] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tend.exe")) returned 1 [0118.989] GetCurrentProcessId () returned 0x5a8 [0118.989] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x68c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="campaign worry know.exe")) returned 1 [0118.990] GetCurrentProcessId () returned 0x5a8 [0118.990] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x760, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="state-others.exe")) returned 1 [0118.991] GetCurrentProcessId () returned 0x5a8 [0118.992] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="headnew.exe")) returned 1 [0118.993] GetCurrentProcessId () returned 0x5a8 [0118.993] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="present reason team.exe")) returned 1 [0119.005] GetCurrentProcessId () returned 0x5a8 [0119.005] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1018, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="effort represent.exe")) returned 1 [0119.006] GetCurrentProcessId () returned 0x5a8 [0119.006] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="live bank.exe")) returned 1 [0119.007] GetCurrentProcessId () returned 0x5a8 [0119.007] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1030, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="outside.exe")) returned 1 [0119.008] GetCurrentProcessId () returned 0x5a8 [0119.009] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="company-american-cell.exe")) returned 1 [0119.010] GetCurrentProcessId () returned 0x5a8 [0119.010] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0119.011] GetCurrentProcessId () returned 0x5a8 [0119.011] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x10b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0xe38, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0119.012] GetCurrentProcessId () returned 0x5a8 [0119.012] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1100, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0119.016] GetCurrentProcessId () returned 0x5a8 [0119.016] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0119.018] GetCurrentProcessId () returned 0x5a8 [0119.018] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x111c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0119.020] GetCurrentProcessId () returned 0x5a8 [0119.020] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0119.021] GetCurrentProcessId () returned 0x5a8 [0119.021] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0119.023] GetCurrentProcessId () returned 0x5a8 [0119.023] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0119.025] GetCurrentProcessId () returned 0x5a8 [0119.025] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x114c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0119.027] GetCurrentProcessId () returned 0x5a8 [0119.027] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x115c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0119.029] GetCurrentProcessId () returned 0x5a8 [0119.029] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0119.030] GetCurrentProcessId () returned 0x5a8 [0119.030] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1174, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0119.032] GetCurrentProcessId () returned 0x5a8 [0119.032] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0119.033] GetCurrentProcessId () returned 0x5a8 [0119.033] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0119.036] GetCurrentProcessId () returned 0x5a8 [0119.036] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x119c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0119.038] GetCurrentProcessId () returned 0x5a8 [0119.038] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x11ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0119.040] GetCurrentProcessId () returned 0x5a8 [0119.040] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0119.042] GetCurrentProcessId () returned 0x5a8 [0119.042] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x11cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0119.043] GetCurrentProcessId () returned 0x5a8 [0119.044] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x11d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0119.046] GetCurrentProcessId () returned 0x5a8 [0119.046] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x11e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0119.048] GetCurrentProcessId () returned 0x5a8 [0119.048] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x11ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0119.049] GetCurrentProcessId () returned 0x5a8 [0119.049] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1200, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0119.051] GetCurrentProcessId () returned 0x5a8 [0119.051] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0119.052] GetCurrentProcessId () returned 0x5a8 [0119.052] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0119.054] GetCurrentProcessId () returned 0x5a8 [0119.054] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0119.061] GetCurrentProcessId () returned 0x5a8 [0119.061] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0119.062] GetCurrentProcessId () returned 0x5a8 [0119.062] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1238, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0119.063] GetCurrentProcessId () returned 0x5a8 [0119.063] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0119.064] GetCurrentProcessId () returned 0x5a8 [0119.064] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0119.065] GetCurrentProcessId () returned 0x5a8 [0119.065] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x126c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0119.067] GetCurrentProcessId () returned 0x5a8 [0119.067] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0119.068] GetCurrentProcessId () returned 0x5a8 [0119.068] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1284, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0119.070] GetCurrentProcessId () returned 0x5a8 [0119.070] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x128c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0119.071] GetCurrentProcessId () returned 0x5a8 [0119.071] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0119.072] GetCurrentProcessId () returned 0x5a8 [0119.072] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0119.073] GetCurrentProcessId () returned 0x5a8 [0119.073] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0119.074] GetCurrentProcessId () returned 0x5a8 [0119.074] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0119.075] GetCurrentProcessId () returned 0x5a8 [0119.075] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0119.075] GetCurrentProcessId () returned 0x5a8 [0119.076] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0119.077] GetCurrentProcessId () returned 0x5a8 [0119.077] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0119.078] GetCurrentProcessId () returned 0x5a8 [0119.078] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0119.079] GetCurrentProcessId () returned 0x5a8 [0119.079] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0119.080] GetCurrentProcessId () returned 0x5a8 [0119.080] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0119.081] GetCurrentProcessId () returned 0x5a8 [0119.081] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0119.082] GetCurrentProcessId () returned 0x5a8 [0119.082] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0119.083] GetCurrentProcessId () returned 0x5a8 [0119.083] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="side_wrong.exe")) returned 1 [0119.084] GetCurrentProcessId () returned 0x5a8 [0119.084] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="underless.exe")) returned 1 [0119.086] GetCurrentProcessId () returned 0x5a8 [0119.086] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x904, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x368, pcPriClassBase=6, dwFlags=0x0, szExeFile="msfeedssync.exe")) returned 1 [0119.087] GetCurrentProcessId () returned 0x5a8 [0119.087] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x394, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0119.088] GetCurrentProcessId () returned 0x5a8 [0119.088] Process32NextW (in: hSnapshot=0x204, lppe=0xce0a0 | out: lppe=0xce0a0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xce8, pcPriClassBase=8, dwFlags=0x0, szExeFile="regsvr32.exe")) returned 1 [0119.089] GetCurrentProcessId () returned 0x5a8 [0119.089] CloseHandle (hObject=0x204) returned 1 [0119.089] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xce8) returned 0x0 [0119.091] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0xce180 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0119.131] lstrlenW (lpString="C:\\Windows\\system32") returned 19 [0119.131] StrCmpNIW (lpStr1="C:\\Windows\\system32", lpStr2="C:\\Windows\\system32", nChar=19) returned 0 [0119.145] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0xce180 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25 [0119.145] lstrlenW (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 37 [0119.145] lstrlenW (lpString="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp") returned 36 [0119.145] StrCmpNIW (lpStr1="", lpStr2="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp", nChar=36) returned -1 [0119.145] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x210 [0119.161] Process32FirstW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0119.162] GetCurrentProcessId () returned 0x5a8 [0119.162] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7f, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0119.164] GetCurrentProcessId () returned 0x5a8 [0119.164] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0119.166] GetCurrentProcessId () returned 0x5a8 [0119.166] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0119.167] GetCurrentProcessId () returned 0x5a8 [0119.167] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0119.172] GetCurrentProcessId () returned 0x5a8 [0119.172] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1bc, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0119.173] GetCurrentProcessId () returned 0x5a8 [0119.173] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x200, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1bc, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0119.174] GetCurrentProcessId () returned 0x5a8 [0119.174] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c4, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0119.176] GetCurrentProcessId () returned 0x5a8 [0119.176] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c4, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0119.177] GetCurrentProcessId () returned 0x5a8 [0119.177] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x278, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2b, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.178] GetCurrentProcessId () returned 0x5a8 [0119.178] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.179] GetCurrentProcessId () returned 0x5a8 [0119.179] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x30c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x200, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0119.180] GetCurrentProcessId () returned 0x5a8 [0119.180] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x61, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.181] GetCurrentProcessId () returned 0x5a8 [0119.181] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.182] GetCurrentProcessId () returned 0x5a8 [0119.182] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x394, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.183] GetCurrentProcessId () returned 0x5a8 [0119.184] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.185] GetCurrentProcessId () returned 0x5a8 [0119.185] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x3fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.186] GetCurrentProcessId () returned 0x5a8 [0119.186] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.188] GetCurrentProcessId () returned 0x5a8 [0119.188] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x470, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.189] GetCurrentProcessId () returned 0x5a8 [0119.189] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x4d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0119.190] GetCurrentProcessId () returned 0x5a8 [0119.190] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0119.191] GetCurrentProcessId () returned 0x5a8 [0119.191] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0119.192] GetCurrentProcessId () returned 0x5a8 [0119.192] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x6d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0119.193] GetCurrentProcessId () returned 0x5a8 [0119.193] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x70c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.194] GetCurrentProcessId () returned 0x5a8 [0119.194] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x81c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2f, th32ParentProcessID=0x804, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0119.195] GetCurrentProcessId () returned 0x5a8 [0119.195] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x9e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0119.196] GetCurrentProcessId () returned 0x5a8 [0119.196] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xa1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0119.197] GetCurrentProcessId () returned 0x5a8 [0119.197] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xab4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="SkypeHost.exe")) returned 1 [0119.198] GetCurrentProcessId () returned 0x5a8 [0119.199] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xae0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0119.200] GetCurrentProcessId () returned 0x5a8 [0119.200] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0119.201] GetCurrentProcessId () returned 0x5a8 [0119.201] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xef0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.202] GetCurrentProcessId () returned 0x5a8 [0119.202] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xda0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0119.203] GetCurrentProcessId () returned 0x5a8 [0119.203] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xec8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x368, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0119.204] GetCurrentProcessId () returned 0x5a8 [0119.204] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xcec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x368, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0119.205] GetCurrentProcessId () returned 0x5a8 [0119.205] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0119.206] GetCurrentProcessId () returned 0x5a8 [0119.206] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xa74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0119.208] GetCurrentProcessId () returned 0x5a8 [0119.208] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0119.210] GetCurrentProcessId () returned 0x5a8 [0119.210] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0119.211] GetCurrentProcessId () returned 0x5a8 [0119.211] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8c4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x218, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0119.213] GetCurrentProcessId () returned 0x5a8 [0119.213] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x214, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="teacher.exe")) returned 1 [0119.214] GetCurrentProcessId () returned 0x5a8 [0119.214] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x8ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="purpose key need.exe")) returned 1 [0119.215] GetCurrentProcessId () returned 0x5a8 [0119.215] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd44, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="east_else.exe")) returned 1 [0119.216] GetCurrentProcessId () returned 0x5a8 [0119.216] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x964, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="born-himself.exe")) returned 1 [0119.218] GetCurrentProcessId () returned 0x5a8 [0119.218] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="save.exe")) returned 1 [0119.219] GetCurrentProcessId () returned 0x5a8 [0119.219] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x62c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="east bill series.exe")) returned 1 [0119.220] GetCurrentProcessId () returned 0x5a8 [0119.220] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd6c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="violence.exe")) returned 1 [0119.221] GetCurrentProcessId () returned 0x5a8 [0119.221] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xa60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="tend.exe")) returned 1 [0119.222] GetCurrentProcessId () returned 0x5a8 [0119.222] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x68c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="campaign worry know.exe")) returned 1 [0119.223] GetCurrentProcessId () returned 0x5a8 [0119.223] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x760, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="state-others.exe")) returned 1 [0119.224] GetCurrentProcessId () returned 0x5a8 [0119.224] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xd34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="headnew.exe")) returned 1 [0119.225] GetCurrentProcessId () returned 0x5a8 [0119.225] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="present reason team.exe")) returned 1 [0119.226] GetCurrentProcessId () returned 0x5a8 [0119.226] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1018, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="effort represent.exe")) returned 1 [0119.228] GetCurrentProcessId () returned 0x5a8 [0119.228] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="live bank.exe")) returned 1 [0119.229] GetCurrentProcessId () returned 0x5a8 [0119.229] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1030, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="outside.exe")) returned 1 [0119.230] GetCurrentProcessId () returned 0x5a8 [0119.230] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="company-american-cell.exe")) returned 1 [0119.231] GetCurrentProcessId () returned 0x5a8 [0119.231] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1090, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x278, pcPriClassBase=8, dwFlags=0x0, szExeFile="backgroundTaskHost.exe")) returned 1 [0119.232] GetCurrentProcessId () returned 0x5a8 [0119.232] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x10b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0xe38, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0119.233] GetCurrentProcessId () returned 0x5a8 [0119.233] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1100, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0119.235] GetCurrentProcessId () returned 0x5a8 [0119.235] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0119.237] GetCurrentProcessId () returned 0x5a8 [0119.237] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x111c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0119.239] GetCurrentProcessId () returned 0x5a8 [0119.239] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0119.240] GetCurrentProcessId () returned 0x5a8 [0119.241] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1138, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0119.242] GetCurrentProcessId () returned 0x5a8 [0119.242] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0119.244] GetCurrentProcessId () returned 0x5a8 [0119.244] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x114c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0119.245] GetCurrentProcessId () returned 0x5a8 [0119.245] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x115c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0119.247] GetCurrentProcessId () returned 0x5a8 [0119.247] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1164, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0119.253] GetCurrentProcessId () returned 0x5a8 [0119.253] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1174, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0119.254] GetCurrentProcessId () returned 0x5a8 [0119.254] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0119.256] GetCurrentProcessId () returned 0x5a8 [0119.256] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1194, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0119.257] GetCurrentProcessId () returned 0x5a8 [0119.257] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x119c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0119.259] GetCurrentProcessId () returned 0x5a8 [0119.259] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x11ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0119.261] GetCurrentProcessId () returned 0x5a8 [0119.261] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x11b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0119.262] GetCurrentProcessId () returned 0x5a8 [0119.262] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x11cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0119.265] GetCurrentProcessId () returned 0x5a8 [0119.265] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x11d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0119.267] GetCurrentProcessId () returned 0x5a8 [0119.267] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x11e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0119.268] GetCurrentProcessId () returned 0x5a8 [0119.268] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x11ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0119.270] GetCurrentProcessId () returned 0x5a8 [0119.270] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1200, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0119.271] GetCurrentProcessId () returned 0x5a8 [0119.271] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1208, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0119.273] GetCurrentProcessId () returned 0x5a8 [0119.273] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1218, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0119.274] GetCurrentProcessId () returned 0x5a8 [0119.274] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0119.276] GetCurrentProcessId () returned 0x5a8 [0119.276] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0119.277] GetCurrentProcessId () returned 0x5a8 [0119.277] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1238, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0119.279] GetCurrentProcessId () returned 0x5a8 [0119.279] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0119.281] GetCurrentProcessId () returned 0x5a8 [0119.281] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0119.282] GetCurrentProcessId () returned 0x5a8 [0119.282] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x126c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0119.284] GetCurrentProcessId () returned 0x5a8 [0119.284] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1274, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0119.285] GetCurrentProcessId () returned 0x5a8 [0119.285] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1284, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0119.286] GetCurrentProcessId () returned 0x5a8 [0119.286] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x128c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0119.289] GetCurrentProcessId () returned 0x5a8 [0119.289] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0119.291] GetCurrentProcessId () returned 0x5a8 [0119.291] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0119.292] GetCurrentProcessId () returned 0x5a8 [0119.292] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0119.294] GetCurrentProcessId () returned 0x5a8 [0119.294] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12b8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0119.295] GetCurrentProcessId () returned 0x5a8 [0119.295] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0119.296] GetCurrentProcessId () returned 0x5a8 [0119.296] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0119.298] GetCurrentProcessId () returned 0x5a8 [0119.298] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0119.299] GetCurrentProcessId () returned 0x5a8 [0119.299] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0119.300] GetCurrentProcessId () returned 0x5a8 [0119.301] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x12fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0119.302] GetCurrentProcessId () returned 0x5a8 [0119.302] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0119.303] GetCurrentProcessId () returned 0x5a8 [0119.303] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0119.304] GetCurrentProcessId () returned 0x5a8 [0119.304] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0119.306] GetCurrentProcessId () returned 0x5a8 [0119.306] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1328, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="side_wrong.exe")) returned 1 [0119.307] GetCurrentProcessId () returned 0x5a8 [0119.307] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x1338, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x81c, pcPriClassBase=8, dwFlags=0x0, szExeFile="underless.exe")) returned 1 [0119.308] GetCurrentProcessId () returned 0x5a8 [0119.308] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x904, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x368, pcPriClassBase=6, dwFlags=0x0, szExeFile="msfeedssync.exe")) returned 1 [0119.310] GetCurrentProcessId () returned 0x5a8 [0119.310] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0xe68, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x394, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0119.311] GetCurrentProcessId () returned 0x5a8 [0119.311] Process32NextW (in: hSnapshot=0x210, lppe=0xce0b0 | out: lppe=0xce0b0*(dwSize=0x238, cntUsage=0x0, th32ProcessID=0x5a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xce8, pcPriClassBase=8, dwFlags=0x0, szExeFile="regsvr32.exe")) returned 1 [0119.312] GetCurrentProcessId () returned 0x5a8 [0119.313] CloseHandle (hObject=0x210) returned 1 [0119.313] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0xce8) returned 0x0 [0119.314] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x210 [0119.314] GetProcessHeap () returned 0x580000 [0119.314] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x110) returned 0x5a25d0 [0119.314] GetComputerNameA (in: lpBuffer=0xce4f0, nSize=0xce4e0 | out: lpBuffer="XC64ZB", nSize=0xce4e0) returned 1 [0119.314] GetProcessHeap () returned 0x580000 [0119.314] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x8) returned 0x58e180 [0119.316] GetWindowsDirectoryW (in: lpBuffer=0xce260, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0119.317] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0xce24c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0xce24c*=0xc287f38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0119.318] _snprintf (in: _Dest=0x5a25d0, _Count=0x104, _Format="%s_%08X" | out: _Dest="XC64ZB_0C287F38") returned 15 [0119.318] GetProcessHeap () returned 0x580000 [0119.318] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x58e180 | out: hHeap=0x580000) returned 1 [0119.318] GetProcessHeap () returned 0x580000 [0119.318] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x48) returned 0x5ae2a0 [0119.320] GetProcessHeap () returned 0x580000 [0119.320] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x48) returned 0x5aed90 [0119.322] GetProcessHeap () returned 0x580000 [0119.322] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x592d30 [0119.322] GetProcessHeap () returned 0x580000 [0119.322] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x228) returned 0x5ac750 [0119.322] GetProcessHeap () returned 0x580000 [0119.322] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x593130 [0119.323] GetProcessHeap () returned 0x580000 [0119.324] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x593270 [0119.324] GetProcessHeap () returned 0x580000 [0119.324] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5933f0 [0119.324] GetProcessHeap () returned 0x580000 [0119.324] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x593170 [0119.324] GetProcessHeap () returned 0x580000 [0119.324] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x592cf0 [0119.324] GetProcessHeap () returned 0x580000 [0119.324] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af400 [0119.325] GetProcessHeap () returned 0x580000 [0119.325] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af680 [0119.325] GetProcessHeap () returned 0x580000 [0119.325] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af9c0 [0119.325] GetProcessHeap () returned 0x580000 [0119.325] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5afc00 [0119.325] GetProcessHeap () returned 0x580000 [0119.325] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5afe00 [0119.325] GetProcessHeap () returned 0x580000 [0119.325] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5afac0 [0119.329] GetProcessHeap () returned 0x580000 [0119.329] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5afb00 [0119.329] GetProcessHeap () returned 0x580000 [0119.329] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af740 [0119.329] GetProcessHeap () returned 0x580000 [0119.329] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5afd40 [0119.329] GetProcessHeap () returned 0x580000 [0119.329] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5afb40 [0119.329] GetProcessHeap () returned 0x580000 [0119.329] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af180 [0119.329] GetProcessHeap () returned 0x580000 [0119.329] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af300 [0119.329] GetProcessHeap () returned 0x580000 [0119.329] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af6c0 [0119.329] GetProcessHeap () returned 0x580000 [0119.329] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5afb80 [0119.329] GetProcessHeap () returned 0x580000 [0119.329] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5afe80 [0119.330] GetProcessHeap () returned 0x580000 [0119.330] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af600 [0119.330] GetProcessHeap () returned 0x580000 [0119.330] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af7c0 [0119.330] GetProcessHeap () returned 0x580000 [0119.330] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af8c0 [0119.330] GetProcessHeap () returned 0x580000 [0119.330] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af500 [0119.330] GetProcessHeap () returned 0x580000 [0119.330] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5afbc0 [0119.330] GetProcessHeap () returned 0x580000 [0119.330] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af780 [0119.332] GetProcessHeap () returned 0x580000 [0119.332] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af480 [0119.332] GetProcessHeap () returned 0x580000 [0119.332] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af200 [0119.332] GetProcessHeap () returned 0x580000 [0119.332] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af440 [0119.332] GetProcessHeap () returned 0x580000 [0119.332] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af100 [0119.332] GetProcessHeap () returned 0x580000 [0119.332] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af700 [0119.332] GetProcessHeap () returned 0x580000 [0119.332] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5afa00 [0119.332] GetProcessHeap () returned 0x580000 [0119.332] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af140 [0119.332] GetProcessHeap () returned 0x580000 [0119.332] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af880 [0119.332] GetProcessHeap () returned 0x580000 [0119.332] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5afc40 [0119.332] GetProcessHeap () returned 0x580000 [0119.332] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af4c0 [0119.332] GetProcessHeap () returned 0x580000 [0119.332] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5afc80 [0119.333] GetProcessHeap () returned 0x580000 [0119.333] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af900 [0119.333] GetProcessHeap () returned 0x580000 [0119.333] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af580 [0119.333] GetProcessHeap () returned 0x580000 [0119.333] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af5c0 [0119.333] GetProcessHeap () returned 0x580000 [0119.333] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af640 [0119.333] GetProcessHeap () returned 0x580000 [0119.333] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af380 [0119.333] GetProcessHeap () returned 0x580000 [0119.333] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5afcc0 [0119.333] GetProcessHeap () returned 0x580000 [0119.333] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af340 [0119.333] GetProcessHeap () returned 0x580000 [0119.333] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af800 [0119.333] GetProcessHeap () returned 0x580000 [0119.333] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af540 [0119.333] GetProcessHeap () returned 0x580000 [0119.333] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af840 [0119.333] GetProcessHeap () returned 0x580000 [0119.333] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5aef80 [0119.333] GetProcessHeap () returned 0x580000 [0119.333] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af240 [0119.333] GetProcessHeap () returned 0x580000 [0119.333] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x30) returned 0x5af940 [0119.334] GetProcessHeap () returned 0x580000 [0119.334] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ac750 | out: hHeap=0x580000) returned 1 [0119.334] GetProcessHeap () returned 0x580000 [0119.334] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x78) returned 0x5ac750 [0119.334] GetProcessHeap () returned 0x580000 [0119.334] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x18) returned 0x592a60 [0119.334] GetProcessHeap () returned 0x580000 [0119.334] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x40) returned 0x5ae1b0 [0119.335] BCryptOpenAlgorithmProvider (in: phAlgorithm=0xce400, pszAlgId="ECDH_P256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0xce400) returned 0x0 [0119.337] GetProcessHeap () returned 0x580000 [0119.337] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x592a60 | out: hHeap=0x580000) returned 1 [0119.337] GetProcessHeap () returned 0x580000 [0119.337] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ae1b0 | out: hHeap=0x580000) returned 1 [0119.337] BCryptGenerateKeyPair (in: hAlgorithm=0x5ac960, phKey=0xce3f8, dwLength=0x100, dwFlags=0x0 | out: hAlgorithm=0x5ac960, phKey=0xce3f8) returned 0x0 [0119.338] BCryptFinalizeKeyPair (in: hKey=0x5ab2c0, dwFlags=0x0 | out: hKey=0x5ab2c0) returned 0x0 [0119.339] GetProcessHeap () returned 0x580000 [0119.339] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x20) returned 0x5ab140 [0119.339] BCryptExportKey (in: hKey=0x5ab2c0, hExportKey=0x0, pszBlobType="ECCPUBLICBLOB", pbOutput=0xce430, cbOutput=0x48, pcbResult=0xce3f4, dwFlags=0x0 | out: pbOutput=0xce430, pcbResult=0xce3f4) returned 0x0 [0119.339] GetProcessHeap () returned 0x580000 [0119.340] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ab140 | out: hHeap=0x580000) returned 1 [0119.340] GetProcessHeap () returned 0x580000 [0119.340] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x20) returned 0x5aaf00 [0119.340] BCryptImportKeyPair (in: hAlgorithm=0x5ac960, hImportKey=0x0, pszBlobType="ECCPUBLICBLOB", phKey=0xce410, pbInput=0x5ae2a0, cbInput=0x48, dwFlags=0x0 | out: phKey=0xce410) returned 0x0 [0119.351] GetProcessHeap () returned 0x580000 [0119.351] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5aaf00 | out: hHeap=0x580000) returned 1 [0119.351] BCryptSecretAgreement (in: hPrivKey=0x5ab2c0, hPubKey=0x5aaff0, phAgreedSecret=0xce408, dwFlags=0x0 | out: phAgreedSecret=0xce408) returned 0x0 [0119.352] GetProcessHeap () returned 0x580000 [0119.352] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x8) returned 0x58e180 [0119.352] GetProcessHeap () returned 0x580000 [0119.352] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x40) returned 0x5ade40 [0119.352] BCryptOpenAlgorithmProvider (in: phAlgorithm=0xce2c0, pszAlgId="AES", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0xce2c0) returned 0x0 [0119.353] GetProcessHeap () returned 0x580000 [0119.353] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x58e180 | out: hHeap=0x580000) returned 1 [0119.353] GetProcessHeap () returned 0x580000 [0119.353] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ade40 | out: hHeap=0x580000) returned 1 [0119.353] GetProcessHeap () returned 0x580000 [0119.353] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x10) returned 0x5929c0 [0119.353] GetProcessHeap () returned 0x580000 [0119.353] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x10) returned 0x5928a0 [0119.353] lstrlenW (lpString="SHA256") returned 6 [0119.354] BCryptDeriveKey (in: hSharedSecret=0x592aa0, pwszKDF="HASH", pParameterList=0xce2d8, pbDerivedKey=0xce304, cbDerivedKey=0x20, pcbResult=0xce2bc, dwFlags=0x0 | out: pbDerivedKey=0xce304, pcbResult=0xce2bc) returned 0x0 [0119.358] GetProcessHeap () returned 0x580000 [0119.358] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5929c0 | out: hHeap=0x580000) returned 1 [0119.358] GetProcessHeap () returned 0x580000 [0119.358] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5928a0 | out: hHeap=0x580000) returned 1 [0119.359] GetProcessHeap () returned 0x580000 [0119.359] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x20) returned 0x5ab020 [0119.359] BCryptGetProperty (in: hObject=0x5b0220, pszProperty="ObjectLength", pbOutput=0x5ac7a8, cbOutput=0x4, pcbResult=0xce2bc, dwFlags=0x0 | out: pbOutput=0x5ac7a8, pcbResult=0xce2bc) returned 0x0 [0119.359] GetProcessHeap () returned 0x580000 [0119.360] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ab020 | out: hHeap=0x580000) returned 1 [0119.360] GetProcessHeap () returned 0x580000 [0119.360] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x28e) returned 0x5b0360 [0119.360] GetProcessHeap () returned 0x580000 [0119.360] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x18) returned 0x5929c0 [0119.360] BCryptImportKey (in: hAlgorithm=0x5b0220, hImportKey=0x0, pszBlobType="KeyDataBlob", phKey=0x5ac7b0, pbKeyObject=0x5b0360, cbKeyObject=0x28e, pbInput=0xce2f8, cbInput=0x2c, dwFlags=0x0 | out: phKey=0x5ac7b0, pbKeyObject=0x5b0360) returned 0x0 [0119.360] GetProcessHeap () returned 0x580000 [0119.360] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5929c0 | out: hHeap=0x580000) returned 1 [0119.360] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5b0220, dwFlags=0x0 | out: hAlgorithm=0x5b0220) returned 0x0 [0119.360] BCryptDestroySecret (in: hSecret=0x592aa0 | out: hSecret=0x592aa0) returned 0x0 [0119.360] BCryptDestroyKey (in: hKey=0x5aaff0 | out: hKey=0x5aaff0) returned 0x0 [0119.360] BCryptDestroyKey (in: hKey=0x5ab2c0 | out: hKey=0x5ab2c0) returned 0x0 [0119.360] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5ac960, dwFlags=0x0 | out: hAlgorithm=0x5ac960) returned 0x0 [0119.360] GetProcessHeap () returned 0x580000 [0119.360] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x18) returned 0x592a60 [0119.360] GetProcessHeap () returned 0x580000 [0119.360] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x40) returned 0x5ade40 [0119.361] BCryptOpenAlgorithmProvider (in: phAlgorithm=0xce478, pszAlgId="ECDSA_P256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0xce478) returned 0x0 [0119.361] GetProcessHeap () returned 0x580000 [0119.361] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x592a60 | out: hHeap=0x580000) returned 1 [0119.361] GetProcessHeap () returned 0x580000 [0119.362] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ade40 | out: hHeap=0x580000) returned 1 [0119.362] GetProcessHeap () returned 0x580000 [0119.362] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x20) returned 0x5ab410 [0119.362] BCryptImportKeyPair (in: hAlgorithm=0x5b00d0, hImportKey=0x0, pszBlobType="ECCPUBLICBLOB", phKey=0x5ac7b8, pbInput=0x5aed90, cbInput=0x48, dwFlags=0x0 | out: phKey=0x5ac7b8) returned 0x0 [0119.362] GetProcessHeap () returned 0x580000 [0119.362] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ab410 | out: hHeap=0x580000) returned 1 [0119.362] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5b00d0, dwFlags=0x0 | out: hAlgorithm=0x5b00d0) returned 0x0 [0119.363] GetProcessHeap () returned 0x580000 [0119.363] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5aed90 | out: hHeap=0x580000) returned 1 [0119.363] GetProcessHeap () returned 0x580000 [0119.363] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ae2a0 | out: hHeap=0x580000) returned 1 [0119.363] GetProcessHeap () returned 0x580000 [0119.363] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x50) returned 0x5a0560 [0119.364] GetProcessHeap () returned 0x580000 [0119.364] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x48) returned 0x5aecf0 [0119.364] GetProcessHeap () returned 0x580000 [0119.364] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x48) returned 0x5ae980 [0119.364] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x214 [0119.364] WaitForSingleObject (hHandle=0x210, dwMilliseconds=0x6ba9) returned 0x102 [0129.424] lstrlenA (lpString="XC64ZB_0C287F38") returned 15 [0129.542] RtlGetVersion (in: lpVersionInformation=0xce4a0 | out: lpVersionInformation=0xce4a0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xa, dwMinorVersion=0x0, dwBuildNumber=0x295a, dwPlatformId=0x2, szCSDVersion="")) returned 0x0 [0129.544] GetNativeSystemInfo (in: lpSystemInfo=0xce470 | out: lpSystemInfo=0xce470*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0129.546] GetCurrentProcessId () returned 0x5a8 [0129.547] ProcessIdToSessionId (in: dwProcessId=0x5a8, pSessionId=0xce5e0 | out: pSessionId=0xce5e0) returned 1 [0129.553] GetProcessHeap () returned 0x580000 [0129.555] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x2b) returned 0x5afa40 [0129.586] GetProcessHeap () returned 0x580000 [0129.586] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x10) returned 0x592bc0 [0129.587] GetProcessHeap () returned 0x580000 [0129.587] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x40) returned 0x5ae480 [0129.588] BCryptOpenAlgorithmProvider (in: phAlgorithm=0xce1f0, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0xce1f0) returned 0x0 [0129.596] GetProcessHeap () returned 0x580000 [0129.596] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x592bc0 | out: hHeap=0x580000) returned 1 [0129.596] GetProcessHeap () returned 0x580000 [0129.597] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ae480 | out: hHeap=0x580000) returned 1 [0129.598] GetProcessHeap () returned 0x580000 [0129.598] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x20) returned 0x5ab170 [0129.598] BCryptGetProperty (in: hObject=0x5b06b0, pszProperty="ObjectLength", pbOutput=0xce200, cbOutput=0x4, pcbResult=0xce208, dwFlags=0x0 | out: pbOutput=0xce200, pcbResult=0xce208) returned 0x0 [0129.598] GetProcessHeap () returned 0x580000 [0129.598] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ab170 | out: hHeap=0x580000) returned 1 [0129.599] GetProcessHeap () returned 0x580000 [0129.599] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x136) returned 0x5aff40 [0129.599] BCryptCreateHash (in: hAlgorithm=0x5b06b0, phHash=0xce1e8, pbHashObject=0x5aff40, cbHashObject=0x136, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x5b06b0, phHash=0xce1e8, pbHashObject=0x5aff40) returned 0x0 [0129.599] BCryptHashData (in: hHash=0x5aff40, pbInput=0x5afa40, cbInput=0x2b, dwFlags=0x0 | out: hHash=0x5aff40) returned 0x0 [0129.600] BCryptFinishHash (in: hHash=0x5aff40, pbOutput=0xce300, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x5aff40, pbOutput=0xce300) returned 0x0 [0129.600] BCryptDestroyHash (in: hHash=0x5aff40 | out: hHash=0x5aff40) returned 0x0 [0129.600] GetProcessHeap () returned 0x580000 [0129.600] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5aff40 | out: hHeap=0x580000) returned 1 [0129.600] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x5b06b0, dwFlags=0x0 | out: hAlgorithm=0x5b06b0) returned 0x0 [0129.600] GetProcessHeap () returned 0x580000 [0129.600] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x57) returned 0x5a0200 [0129.600] BCryptEncrypt (in: hKey=0x5b0360, pbInput=0x5a0200, cbInput=0x57, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0xce210, dwFlags=0x1 | out: hKey=0x5b0360, pbIV=0x0, pbOutput=0x0, pcbResult=0xce210) returned 0x0 [0129.600] GetProcessHeap () returned 0x580000 [0129.600] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x60) returned 0x5aca90 [0129.600] BCryptEncrypt (in: hKey=0x5b0360, pbInput=0x5a0200, cbInput=0x57, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x5aca90, cbOutput=0x60, pcbResult=0xce210, dwFlags=0x1 | out: hKey=0x5b0360, pbIV=0x0, pbOutput=0x5aca90, pcbResult=0xce210) returned 0x0 [0129.600] GetProcessHeap () returned 0x580000 [0129.600] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0xe3) returned 0x5aff40 [0129.601] GetProcessHeap () returned 0x580000 [0129.602] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5aca90 | out: hHeap=0x580000) returned 1 [0129.602] GetProcessHeap () returned 0x580000 [0129.602] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5a0200 | out: hHeap=0x580000) returned 1 [0129.607] CryptBinaryToStringW (in: pbBinary=0x5aff40, cbBinary=0xe3, dwFlags=0x40000001, pszString=0x0, pcchString=0xce22c | out: pszString=0x0, pcchString=0xce22c) returned 1 [0129.607] GetProcessHeap () returned 0x580000 [0129.607] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x262) returned 0x5b06b0 [0129.607] CryptBinaryToStringW (in: pbBinary=0x5aff40, cbBinary=0xe3, dwFlags=0x40000001, pszString=0x5b06b0, pcchString=0xce22c | out: pszString="5IJTPaYPqdxYlfXInEbMi20w6z4SI399/SISOv4eWGwtONrX/qwq+W5yKnWigqeIt24MWg6DwKW/PXOh9kSzpE3e0hAi7ajNeV8q7h/UDgevWSVWZ0UdUmV7L9IJEb5N9hgcJ7SPTrG/G7L1LCep4sfkOsQjsS9DWf3lx5JCCnH5Mb29fcebwC/qK4Syy7FpHjgp1WdVjwlC7l/L9s4OF5DN08OpYbukhCdl2cwAp2JuYWs52DXFWuA1U0PHfnG1uTj2+XueXmsJnDkOtP7zW6/q7hXJzUxPH6hvPvp21Kxn6hA=", pcchString=0xce22c) returned 1 [0129.607] GetProcessHeap () returned 0x580000 [0129.607] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x4000) returned 0x5b0920 [0129.610] GetProcessHeap () returned 0x580000 [0129.610] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x20) returned 0x5ab170 [0129.610] _snwprintf (in: _Dest=0x5b0920, _Count=0x4000, _Format="Cookie: %s=%s\r\n" | out: _Dest="Cookie: SdlIPcoulBqpUX=5IJTPaYPqdxYlfXInEbMi20w6z4SI399/SISOv4eWGwtONrX/qwq+W5yKnWigqeIt24MWg6DwKW/PXOh9kSzpE3e0hAi7ajNeV8q7h/UDgevWSVWZ0UdUmV7L9IJEb5N9hgcJ7SPTrG/G7L1LCep4sfkOsQjsS9DWf3lx5JCCnH5Mb29fcebwC/qK4Syy7FpHjgp1WdVjwlC7l/L9s4OF5DN08OpYbukhCdl2cwAp2JuYWs52DXFWuA1U0PHfnG1uTj2+XueXmsJnDkOtP7zW6/q7hXJzUxPH6hvPvp21Kxn6hA=\r\n") returned 329 [0129.610] GetProcessHeap () returned 0x580000 [0129.611] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5ab170 | out: hHeap=0x580000) returned 1 [0129.613] GetProcessHeap () returned 0x580000 [0129.614] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b06b0 | out: hHeap=0x580000) returned 1 [0129.614] GetProcessHeap () returned 0x580000 [0129.614] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5aff40 | out: hHeap=0x580000) returned 1 [0129.614] GetProcessHeap () returned 0x580000 [0129.615] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x18) returned 0x592920 [0129.615] _snwprintf (in: _Dest=0xce420, _Count=0x40, _Format="%u.%u.%u.%u" | out: _Dest="174.138.33.49") returned 13 [0129.615] GetProcessHeap () returned 0x580000 [0129.615] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x592920 | out: hHeap=0x580000) returned 1 [0129.624] InternetOpenW (lpszAgent=0x0, dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0130.435] GetProcessHeap () returned 0x580000 [0130.435] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x580000) returned 1 [0130.437] InternetConnectW (hInternet=0xcc0004, lpszServerName="174.138.33.49", nServerPort=0x1ba8, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0130.442] HttpOpenRequestW (hConnect=0xcc0008, lpszVerb=0x0, lpszObjectName="", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x0, dwFlags=0x84ccf300, dwContext=0x0) returned 0xcc000c [0130.445] GetProcessHeap () returned 0x580000 [0130.445] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x580000) returned 1 [0130.445] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x41, lpBuffer=0xce2e8*, dwBufferLength=0x4) returned 1 [0130.445] InternetQueryOptionW (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0xce2e8, lpdwBufferLength=0xce2f0 | out: lpBuffer=0xce2e8, lpdwBufferLength=0xce2f0) returned 1 [0130.446] InternetSetOptionW (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0xce2e8*, dwBufferLength=0x4) returned 1 [0130.446] HttpSendRequestW (hRequest=0xcc000c, lpszHeaders="Cookie: SdlIPcoulBqpUX=5IJTPaYPqdxYlfXInEbMi20w6z4SI399/SISOv4eWGwtONrX/qwq+W5yKnWigqeIt24MWg6DwKW/PXOh9kSzpE3e0hAi7ajNeV8q7h/UDgevWSVWZ0UdUmV7L9IJEb5N9hgcJ7SPTrG/G7L1LCep4sfkOsQjsS9DWf3lx5JCCnH5Mb29fcebwC/qK4Syy7FpHjgp1WdVjwlC7l/L9s4OF5DN08OpYbukhCdl2cwAp2JuYWs52DXFWuA1U0PHfnG1uTj2+XueXmsJnDkOtP7zW6/q7hXJzUxPH6hvPvp21Kxn6hA=\r\n", dwHeadersLength=0xffffffff, lpOptional=0x0*, dwOptionalLength=0x0) returned 1 [0141.769] HttpQueryInfoW (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0xce210, lpdwBufferLength=0xce20c, lpdwIndex=0x0 | out: lpBuffer=0xce210*, lpdwBufferLength=0xce20c*=0x4, lpdwIndex=0x0) returned 1 [0141.769] GetProcessHeap () returned 0x580000 [0141.769] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x10000) returned 0x2c7f020 [0141.770] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2c7f020, dwNumberOfBytesToRead=0x10000, lpdwNumberOfBytesRead=0xce1e8 | out: lpBuffer=0x2c7f020*, lpdwNumberOfBytesRead=0xce1e8*=0x1b7) returned 1 [0141.771] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x2c7f1d7, dwNumberOfBytesToRead=0xfe49, lpdwNumberOfBytesRead=0xce1e8 | out: lpBuffer=0x2c7f1d7*, lpdwNumberOfBytesRead=0xce1e8*=0x0) returned 1 [0141.771] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0141.771] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0141.771] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0141.771] GetProcessHeap () returned 0x580000 [0141.772] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5b0920 | out: hHeap=0x580000) returned 1 [0141.772] GetProcessHeap () returned 0x580000 [0141.772] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x0 | out: hHeap=0x580000) returned 1 [0141.772] BCryptDecrypt (in: hKey=0x5b0360, pbInput=0x2c7f020, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x0, cbOutput=0x0, pcbResult=0xce268, dwFlags=0x1 | out: hKey=0x5b0360, pbIV=0x0, pbOutput=0x0, pcbResult=0xce268) returned 0x0 [0141.772] GetProcessHeap () returned 0x580000 [0141.772] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x60) returned 0x2b3f790 [0141.772] BCryptDecrypt (in: hKey=0x5b0360, pbInput=0x2c7f020, cbInput=0x60, pPaddingInfo=0x0, pbIV=0x0, cbIV=0x0, pbOutput=0x2b3f790, cbOutput=0x60, pcbResult=0xce268, dwFlags=0x1 | out: hKey=0x5b0360, pbIV=0x0, pbOutput=0x2b3f790, pcbResult=0xce268) returned 0x0 [0141.772] GetProcessHeap () returned 0x580000 [0141.772] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x10) returned 0x2affab0 [0141.772] GetProcessHeap () returned 0x580000 [0141.772] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x40) returned 0x2aa7520 [0141.772] BCryptOpenAlgorithmProvider (in: phAlgorithm=0xce180, pszAlgId="SHA256", pszImplementation="Microsoft Primitive Provider", dwFlags=0x0 | out: phAlgorithm=0xce180) returned 0x0 [0141.772] GetProcessHeap () returned 0x580000 [0141.773] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x2affab0 | out: hHeap=0x580000) returned 1 [0141.773] GetProcessHeap () returned 0x580000 [0141.773] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x2aa7520 | out: hHeap=0x580000) returned 1 [0141.773] GetProcessHeap () returned 0x580000 [0141.773] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x20) returned 0x2b173a0 [0141.773] BCryptGetProperty (in: hObject=0x2b35960, pszProperty="ObjectLength", pbOutput=0xce190, cbOutput=0x4, pcbResult=0xce198, dwFlags=0x0 | out: pbOutput=0xce190, pcbResult=0xce198) returned 0x0 [0141.773] GetProcessHeap () returned 0x580000 [0141.773] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x2b173a0 | out: hHeap=0x580000) returned 1 [0141.773] GetProcessHeap () returned 0x580000 [0141.773] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x136) returned 0x2b34060 [0141.773] BCryptCreateHash (in: hAlgorithm=0x2b35960, phHash=0xce178, pbHashObject=0x2b34060, cbHashObject=0x136, pbSecret=0x0, cbSecret=0x0, dwFlags=0x0 | out: hAlgorithm=0x2b35960, phHash=0xce178, pbHashObject=0x2b34060) returned 0x0 [0141.773] BCryptHashData (in: hHash=0x2b34060, pbInput=0x2b3f7d8, cbInput=0x8, dwFlags=0x0 | out: hHash=0x2b34060) returned 0x0 [0141.773] BCryptFinishHash (in: hHash=0x2b34060, pbOutput=0xce258, cbOutput=0x20, dwFlags=0x0 | out: hHash=0x2b34060, pbOutput=0xce258) returned 0x0 [0141.773] BCryptDestroyHash (in: hHash=0x2b34060 | out: hHash=0x2b34060) returned 0x0 [0141.773] GetProcessHeap () returned 0x580000 [0141.773] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x2b34060 | out: hHeap=0x580000) returned 1 [0141.773] BCryptCloseAlgorithmProvider (in: hAlgorithm=0x2b35960, dwFlags=0x0 | out: hAlgorithm=0x2b35960) returned 0x0 [0141.773] BCryptVerifySignature (hKey=0x5ab290, pPaddingInfo=0x0, pbHash=0xce258, cbHash=0x20, pbSignature=0x2b3f794, cbSignature=0x40, dwFlags=0x0) returned 0x0 [0141.776] GetProcessHeap () returned 0x580000 [0141.776] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x8) returned 0x2aa90e0 [0141.776] GetProcessHeap () returned 0x580000 [0141.776] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x2b3f790 | out: hHeap=0x580000) returned 1 [0141.776] GetProcessHeap () returned 0x580000 [0141.776] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x2c7f020 | out: hHeap=0x580000) returned 1 [0141.776] lstrcpyW (in: lpString1=0xce3a0, lpString2="C:\\Windows\\system32\\WIMQPStO\\mlES.dll" | out: lpString1="C:\\Windows\\system32\\WIMQPStO\\mlES.dll") returned="C:\\Windows\\system32\\WIMQPStO\\mlES.dll" [0141.776] PathFindFileNameW (pszPath="C:\\Windows\\system32\\WIMQPStO\\mlES.dll") returned="mlES.dll" [0141.776] GetProcessHeap () returned 0x580000 [0141.776] RtlAllocateHeap (HeapHandle=0x580000, Flags=0x8, Size=0x10) returned 0x2aff990 [0141.776] _snwprintf (in: _Dest=0xcdf20, _Count=0x104, _Format="%s\\*" | out: _Dest="C:\\Windows\\system32\\WIMQPStO\\\\*") returned 31 [0141.776] GetProcessHeap () returned 0x580000 [0141.776] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x2aff990 | out: hHeap=0x580000) returned 1 [0141.776] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WIMQPStO\\\\*" (normalized: "c:\\windows\\system32\\wimqpsto\\*"), lpFindFileData=0xcdcd0 | out: lpFindFileData=0xcdcd0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc36c35b, ftCreationTime.dwHighDateTime=0x1d88f9e, ftLastAccessTime.dwLowDateTime=0xd03ee12, ftLastAccessTime.dwHighDateTime=0x1d88f9e, ftLastWriteTime.dwLowDateTime=0xd03ee12, ftLastWriteTime.dwHighDateTime=0x1d88f9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2a4e320, cFileName=".", cAlternateFileName="")) returned 0x2a38650 [0141.777] FindNextFileW (in: hFindFile=0x2a38650, lpFindFileData=0xcdcd0 | out: lpFindFileData=0xcdcd0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc36c35b, ftCreationTime.dwHighDateTime=0x1d88f9e, ftLastAccessTime.dwLowDateTime=0xd03ee12, ftLastAccessTime.dwHighDateTime=0x1d88f9e, ftLastWriteTime.dwLowDateTime=0xd03ee12, ftLastWriteTime.dwHighDateTime=0x1d88f9e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2a4e320, cFileName="..", cAlternateFileName="")) returned 1 [0141.777] FindNextFileW (in: hFindFile=0x2a38650, lpFindFileData=0xcdcd0 | out: lpFindFileData=0xcdcd0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8448200, ftCreationTime.dwHighDateTime=0x1d88f9d, ftLastAccessTime.dwLowDateTime=0xc8448200, ftLastAccessTime.dwHighDateTime=0x1d88f9d, ftLastWriteTime.dwLowDateTime=0xf3b47600, ftLastWriteTime.dwHighDateTime=0x1d88f77, nFileSizeHigh=0x0, nFileSizeLow=0xf8000, dwReserved0=0x0, dwReserved1=0x2a4e320, cFileName="mlES.dll", cAlternateFileName="")) returned 1 [0141.777] PathCombineW (in: pszDest=0xcda20, pszDir="C:\\Windows\\system32\\WIMQPStO\\", pszFile="mlES.dll" | out: pszDest="C:\\Windows\\system32\\WIMQPStO\\mlES.dll") returned="C:\\Windows\\system32\\WIMQPStO\\mlES.dll" [0141.777] lstrcmpiW (lpString1="C:\\Windows\\system32\\WIMQPStO\\mlES.dll", lpString2="C:\\Windows\\system32\\WIMQPStO\\mlES.dll") returned 0 [0141.777] FindNextFileW (in: hFindFile=0x2a38650, lpFindFileData=0xcdcd0 | out: lpFindFileData=0xcdcd0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8448200, ftCreationTime.dwHighDateTime=0x1d88f9d, ftLastAccessTime.dwLowDateTime=0xc8448200, ftLastAccessTime.dwHighDateTime=0x1d88f9d, ftLastWriteTime.dwLowDateTime=0xf3b47600, ftLastWriteTime.dwHighDateTime=0x1d88f77, nFileSizeHigh=0x0, nFileSizeLow=0xf8000, dwReserved0=0x0, dwReserved1=0x2a4e320, cFileName="mlES.dll", cAlternateFileName="")) returned 0 [0141.777] FindClose (in: hFindFile=0x2a38650 | out: hFindFile=0x2a38650) returned 1 [0141.777] GetProcessHeap () returned 0x580000 [0141.777] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x2aa90e0 | out: hHeap=0x580000) returned 1 [0141.777] GetProcessHeap () returned 0x580000 [0141.778] HeapFree (in: hHeap=0x580000, dwFlags=0x0, lpMem=0x5afa40 | out: hHeap=0x580000) returned 1 [0141.778] WaitForSingleObject (hHandle=0x210, dwMilliseconds=0xe5733) Thread: id = 15 os_tid = 0x5ac Thread: id = 16 os_tid = 0x10c0 Thread: id = 17 os_tid = 0x10c4 Thread: id = 18 os_tid = 0x420 Thread: id = 19 os_tid = 0x2a0 Thread: id = 20 os_tid = 0x98c Thread: id = 21 os_tid = 0x624